My Password Got Hacked
 

Hmm... well this sorta relates to my other post regarding the forum I'm programming in PHP. I posted about it at another forum and someone got a hold of the usernames and passwords (http://grimpirate.4mak.net/board_users.inc) from the forum, which is no big deal since I'm the only registered user. However, that means they also hacked my account over at that particular forum since I was using the same password. I'm curious if anyone knows how they did this? I stored the passwords using an md5 algorithm on that file that's highlighted here. However, I thought that it took lots of computing time to successfully hack an md5 generated key. Any ideas? Seeing as this person successfully hacked my password which I'm glad he did 'cause he helped expose a fatal security flaw in the forum. I'd appreciate the input.

Ahh I see... I found out one possible way. http://gdataonline.com/ contains the hashes of various types of words and the like and if you input a hash it gives you its corresponding text. Interesting. I'll have to find a way to work around that.

The work around is to either use something stronger than md5 or to pick passwords that aren't so terrible.

You should avoid leaving your .inc and other important files exposed. Make a separate directory and use an .htaccess file to restrict who can see them.

They probably did a library lookup on your password's Md5 hash. There are millions of stored hashes out there for library lookups. Your password was probably a known hash.

I'd suggest adding "salt" to your password before making it an Md5 hash. I'm not sure if you know how that works, so I'll explain anyways. There's a certain arbitrary string (EG "a5k50") that only your server knows. Every time someone enters a password, that arbitrary string is added to the beginning and end (or however you like) of the string, before it is encrypted in Md5. This is done every time someone sends your server a password, so it's just as if people are entering a more complicated password than normal. These salted passwords will not be in an Md5 hash lookup library, unless you're extremely unlucky.

And maybe not naming files that include important data *.inc so they can be world readable via a web browser. Naming it to *.php would solve all of your problems.

Well I tried to incorporate everything you guys suggested.
Andro:
I created my own 128 bit hashing function which I hope prevents the likelihood of people taking the time to determine the hashes it makes.
I may also provide an option to generate a random password as well (that way the passwords are even more difficult to hack)
Wizard1988:
I didn't utilize the htaccess file because as I imagine that feature would be too advanced for a novice (and I consider myself a novice) computer user.
Sane:
My new hash function I figure eliminates the need for "salting" the hash, but I'll keep that option in mind should it become necessary to use it later on, and of course there's no libraries for my own hash code, unless they were created in like that last 10 seconds lol :beard:
tempest:
I changed the board_users extension to .php (so that no one can look at what is stored within). Which should help conceal the passwords from wandering eyes.

Thx for all your suggestions, they really helped give me a sense of direction.

Hi grimpirate, I'd recommend using one of the stronger hash functions that PHP offers, maybe WHIRLPOOL or sha512.

Using your own hash can seem to make sense but it is really security through obscurity. There are arguments for and against this so I'd recommend reading the wikipedia article and perhaps also some of the links.

Httaccess files aren't that hard.;) All you have to do is put all your config files in a folder of your choice and then put: "deny from all" in your httacess file, which should be in that directory. This will deny access to the directory from "outside". However your scripts should be able to access the files.

Eoin:
I'm not relying on people not seeing my code, which is what would qualify as security through obscurity. I make the source code to the forum available. So anyone can read it and try to disassemble what I've done. Its usefulness lies in the strength of the cryptographic key as stated in the article. All I've done is slow hackers down with new keys 'cause they'd have to start a new library for my hashes or figure out a way to deconstruct my key (which is unlikely since it takes input of nth size).
Wizard1988:
I know how to use htaccess files Wiz, I'm just saying that someone else who's not savvy might not know or feel hesitant and not want to tinker with those sort of options. The idea behind the bulletin board is that it be as simple as tweaking some things in the config of the board itself and then just uploading it and it takes care of the rest.