Programming Forums > Web Development and Design > Other Web Development Languages

grimpirate · Nov 12th, 2006, 1:15 AM

Hmm... well this sorta relates to my other post regarding the forum I'm programming in PHP. I posted about it at another forum and someone got a hold of the usernames and passwords (http://grimpirate.4mak.net/board_users.inc) from the forum, which is no big deal since I'm the only registered user. However, that means they also hacked my account over at that particular forum since I was using the same password. I'm curious if anyone knows how they did this? I stored the passwords using an md5 algorithm on that file that's highlighted here. However, I thought that it took lots of computing time to successfully hack an md5 generated key. Any ideas? Seeing as this person successfully hacked my password which I'm glad he did 'cause he helped expose a fatal security flaw in the forum. I'd appreciate the input.

grimpirate · Nov 12th, 2006, 1:44 AM

Ahh I see... I found out one possible way. http://gdataonline.com/ contains the hashes of various types of words and the like and if you input a hash it gives you its corresponding text. Interesting. I'll have to find a way to work around that.

andro · Nov 12th, 2006, 2:53 AM

The work around is to either use something stronger than md5 or to pick passwords that aren't so terrible.

Wizard1988 · Nov 12th, 2006, 8:19 AM

You should avoid leaving your .inc and other important files exposed. Make a separate directory and use an .htaccess file to restrict who can see them.

Sane · Nov 12th, 2006, 11:33 AM

They probably did a library lookup on your password's Md5 hash. There are millions of stored hashes out there for library lookups. Your password was probably a known hash.

I'd suggest adding "salt" to your password before making it an Md5 hash. I'm not sure if you know how that works, so I'll explain anyways. There's a certain arbitrary string (EG "a5k50") that only your server knows. Every time someone enters a password, that arbitrary string is added to the beginning and end (or however you like) of the string, before it is encrypted in Md5. This is done every time someone sends your server a password, so it's just as if people are entering a more complicated password than normal. These salted passwords will not be in an Md5 hash lookup library, unless you're extremely unlucky.

tempest · Nov 12th, 2006, 5:57 PM

And maybe not naming files that include important data *.inc so they can be world readable via a web browser. Naming it to *.php would solve all of your problems.

grimpirate · Nov 13th, 2006, 3:34 AM

Well I tried to incorporate everything you guys suggested.
Andro:
I created my own 128 bit hashing function which I hope prevents the likelihood of people taking the time to determine the hashes it makes.
I may also provide an option to generate a random password as well (that way the passwords are even more difficult to hack)
Wizard1988:
I didn't utilize the htaccess file because as I imagine that feature would be too advanced for a novice (and I consider myself a novice) computer user.
Sane:
My new hash function I figure eliminates the need for "salting" the hash, but I'll keep that option in mind should it become necessary to use it later on, and of course there's no libraries for my own hash code, unless they were created in like that last 10 seconds lol :beard:
tempest:
I changed the board_users extension to .php (so that no one can look at what is stored within). Which should help conceal the passwords from wandering eyes.

Thx for all your suggestions, they really helped give me a sense of direction.

Eoin · Nov 13th, 2006, 3:53 AM

Hi grimpirate, I'd recommend using one of the stronger hash functions that PHP offers, maybe WHIRLPOOL or sha512.

Using your own hash can seem to make sense but it is really security through obscurity. There are arguments for and against this so I'd recommend reading the wikipedia article and perhaps also some of the links.

Wizard1988 · Nov 13th, 2006, 7:53 AM

Httaccess files aren't that hard.

All you have to do is put all your config files in a folder of your choice and then put: "deny from all" in your httacess file, which should be in that directory. This will deny access to the directory from "outside". However your scripts should be able to access the files.

grimpirate · Nov 13th, 2006, 12:33 PM

Eoin:
I'm not relying on people not seeing my code, which is what would qualify as security through obscurity. I make the source code to the forum available. So anyone can read it and try to disassemble what I've done. Its usefulness lies in the strength of the cryptographic key as stated in the article. All I've done is slow hackers down with new keys 'cause they'd have to start a new library for my hashes or figure out a way to deconstruct my key (which is unlikely since it takes input of nth size).
Wizard1988:
I know how to use htaccess files Wiz, I'm just saying that someone else who's not savvy might not know or feel hesitant and not want to tinker with those sort of options. The idea behind the bulletin board is that it be as simple as tweaking some things in the config of the board itself and then just uploading it and it takes care of the rest.

Nov 12th, 2006, 1:15 AM	#1
grimpirate King of Portal Join Date: Sep 2005 Posts: 431 Rep Power: 4	My Password Got Hacked Hmm... well this sorta relates to my other post regarding the forum I'm programming in PHP. I posted about it at another forum and someone got a hold of the usernames and passwords (http://grimpirate.4mak.net/board_users.inc) from the forum, which is no big deal since I'm the only registered user. However, that means they also hacked my account over at that particular forum since I was using the same password. I'm curious if anyone knows how they did this? I stored the passwords using an md5 algorithm on that file that's highlighted here. However, I thought that it took lots of computing time to successfully hack an md5 generated key. Any ideas? Seeing as this person successfully hacked my password which I'm glad he did 'cause he helped expose a fatal security flaw in the forum. I'd appreciate the input. __________________ Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB \| Mimesis

Nov 12th, 2006, 1:44 AM	#2
grimpirate King of Portal Join Date: Sep 2005 Posts: 431 Rep Power: 4	Ahh I see... I found out one possible way. http://gdataonline.com/ contains the hashes of various types of words and the like and if you input a hash it gives you its corresponding text. Interesting. I'll have to find a way to work around that. __________________ Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB \| Mimesis

Nov 12th, 2006, 8:19 AM	#4
Wizard1988 Professional Programmer Join Date: Oct 2005 Location: Chitown Posts: 417 Rep Power: 4	You should avoid leaving your .inc and other important files exposed. Make a separate directory and use an .htaccess file to restrict who can see them. __________________ JG-Webdesign

Nov 12th, 2006, 5:57 PM	#6
tempest Programming Guru Join Date: Oct 2004 Posts: 1,041 Rep Power: 5	And maybe not naming files that include important data .inc so they can be world readable via a web browser. Naming it to .php would solve all of your problems. __________________

Nov 13th, 2006, 3:34 AM	#7
grimpirate King of Portal Join Date: Sep 2005 Posts: 431 Rep Power: 4	Well I tried to incorporate everything you guys suggested. Andro: I created my own 128 bit hashing function which I hope prevents the likelihood of people taking the time to determine the hashes it makes. I may also provide an option to generate a random password as well (that way the passwords are even more difficult to hack) Wizard1988: I didn't utilize the htaccess file because as I imagine that feature would be too advanced for a novice (and I consider myself a novice) computer user. Sane: My new hash function I figure eliminates the need for "salting" the hash, but I'll keep that option in mind should it become necessary to use it later on, and of course there's no libraries for my own hash code, unless they were created in like that last 10 seconds lol :beard: tempest: I changed the board_users extension to .php (so that no one can look at what is stored within). Which should help conceal the passwords from wandering eyes. Thx for all your suggestions, they really helped give me a sense of direction. __________________ Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB \| Mimesis

Nov 12th, 2006, 2:53 AM	#3
andro Professional Programmer Join Date: Oct 2005 Location: California Posts: 312 Rep Power: 3	The work around is to either use something stronger than md5 or to pick passwords that aren't so terrible.

Nov 12th, 2006, 11:33 AM	#5
Sane Programming Guru Join Date: Apr 2005 Location: Waterloo, Ontario Posts: 1,887 Rep Power: 5	They probably did a library lookup on your password's Md5 hash. There are millions of stored hashes out there for library lookups. Your password was probably a known hash. I'd suggest adding "salt" to your password before making it an Md5 hash. I'm not sure if you know how that works, so I'll explain anyways. There's a certain arbitrary string (EG "a5k50") that only your server knows. Every time someone enters a password, that arbitrary string is added to the beginning and end (or however you like) of the string, before it is encrypted in Md5. This is done every time someone sends your server a password, so it's just as if people are entering a more complicated password than normal. These salted passwords will not be in an Md5 hash lookup library, unless you're extremely unlucky.

Nov 13th, 2006, 3:53 AM	#8
Eoin Hobbyist Programmer Join Date: Jun 2006 Location: Ireland Posts: 152 Rep Power: 3	Hi grimpirate, I'd recommend using one of the stronger hash functions that PHP offers, maybe WHIRLPOOL or sha512. Using your own hash can seem to make sense but it is really security through obscurity. There are arguments for and against this so I'd recommend reading the wikipedia article and perhaps also some of the links. __________________ Visit my website BinaryNotions.

Nov 13th, 2006, 7:53 AM	#9
Wizard1988 Professional Programmer Join Date: Oct 2005 Location: Chitown Posts: 417 Rep Power: 4	Httaccess files aren't that hard. All you have to do is put all your config files in a folder of your choice and then put: "deny from all" in your httacess file, which should be in that directory. This will deny access to the directory from "outside". However your scripts should be able to access the files. __________________ JG-Webdesign

Nov 13th, 2006, 12:33 PM	#10
grimpirate King of Portal Join Date: Sep 2005 Posts: 431 Rep Power: 4	Eoin: I'm not relying on people not seeing my code, which is what would qualify as security through obscurity. I make the source code to the forum available. So anyone can read it and try to disassemble what I've done. Its usefulness lies in the strength of the cryptographic key as stated in the article. All I've done is slow hackers down with new keys 'cause they'd have to start a new library for my hashes or figure out a way to deconstruct my key (which is unlikely since it takes input of nth size). Wizard1988: I know how to use htaccess files Wiz, I'm just saying that someone else who's not savvy might not know or feel hesitant and not want to tinker with those sort of options. The idea behind the bulletin board is that it be as simple as tweaking some things in the config of the board itself and then just uploading it and it takes care of the rest. __________________ Lo, there do I see my father. 'Lo, there do I see My mother, and my sisters, and my brothers. 'Lo, there do I see The line of my people... Back to the beginning. 'Lo, they do call to me. They bid me take my place among them. In the halls of Valhalla... Where the brave... May live... ...forever.. GrimBB \| Mimesis

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Nothing Special, just a password generator	Jessehk	Show Off Your Open Source Projects	0	Oct 29th, 2006 4:20 PM
simple password checker	RemoteC2	C++	13	Aug 10th, 2006 5:07 PM
[Python] Password Generator	bulio	Show Off Your Open Source Projects	2	Feb 28th, 2006 3:01 AM
password box	ragenuub	Visual Basic	5	Nov 15th, 2005 3:46 PM
Just a small password generator	Jessehk	Show Off Your Open Source Projects	3	Sep 16th, 2005 8:41 AM

Programming Forums > Web Development and Design > Other Web Development Languages

My Password Got Hacked