GoFuckYourself.com - Adult Webmaster Forum - View Single Post - You got hacked!!! Heres the reason why...password encryption!!

interracialtoons · 08-29-2006, 09:55 AM

You got hacked because you "protected" your passwords!

I discovered that the encryption of passwords make it much easier for
hackers when users pick "bad" password.

Look at the cgi method in the script below that is used by most, if not all,
websites. Upload it to your sever and name it something.cgi and run it.

Try this cgi scipt:

#!/usr/bin/perl

print "Content-type: text/html\n\n";

$out1 = crypt('longpassword123', 'lo');
$out2 = crypt('longpasswordabc', 'lo');
$out3 = crypt('longpassword456', 'lo');
$out4 = crypt('longpassworddef', 'lo');
$out5 = crypt('longpasswordxyz', 'lo');
$out6 = crypt('longpassword789', 'lo');

print "out1 = $out1 out2 = $out2 out3 = $out3 out4 = $out4 out5 = $out5 out6 =

$out6";

exit;

Did you see that?

Perl crypt works by using a 2 digit value called the "SALT".
The salt in the script below is "lo" which is the first 2 digits of the password.

The salt used to encrypt the stored password must be used again to match
the stored password. So either the SALT is hardcoded into the routine so its
always the same or it is taken from the first 2 digits of the password.

So what we put into our password routines is this:

$stored = crypt($password, $password);

The crypt fucntion only uses the first two digits so it doesn't matter that
the salt entered is longer(ie the full password)

Then to check the password we do this"

$check = crypt($enteredpass, $enteredpass);
if ($check eq $stored) {$let_the_user_in = "TRUE";}

** Notice that all the passwords that were entered in the script('longpassword...')
matched the stored encrypted password!

So let's consider a lady named Jane Smith.
Jane is smart and does the following math:

0 thru 9 is 10 characters;
a thru z is 26 characters;
A thru Z is 26 characters;(Capitalized)

for a total of 62 characters

Jane knows she can make 238,328(62*62*62) unique charaters sets from the 62 charaters
if she uses a 3 character set(ex. abc, efg, 123, 45b.....)

So even though her name is very common she figure it will take about 200,000
guesses at her password before anyone even gets close to figuring it out.

So she makes her password this "janesmithMdY"

To be clever she adds a couple of caps "M" and "Y".

Now run the following cgi script:

#!/usr/bin/perl

print "Content-type: text/html\n\n";

$out1 = crypt('janesmithMdY', 'ja');
$out2 = crypt('janesmithabc', 'ja');
$out3 = crypt('janesmith456', 'ja');
$out4 = crypt('janesmithdef', 'ja');
$out5 = crypt('janesmithxyz', 'ja');
$out6 = crypt('janesmith789', 'ja');

print "out1 = $out1 out2 = $out2 out3 = $out3 out4 = $out4 out5 = $out5 out6 =

$out6";

exit;

OMFG!!!!!!!!

Jane is wrong because instead of the hacker having to guess 200,000 times he has
a choice of 238,328 passwords that match!! So he only needs to try one password
from the the 238,328. But hey he doesn't know how many digits she used so he still
has to do one more thing.

He has to try the following passwords:

janesmith
janesmith1
janesmith12
janesmith123 and FRIGGIN POW!! He's in!!!

Jane would have been correct if her password had not been encrypted but
too bad...she lost all the money in her bank account instead.

What if jane had used this "bh6janesmith"?

#!/usr/bin/perl

print "Content-type: text/html\n\n";

$out1 = crypt('abcjanesmith', 'ab');
$out2 = crypt('123janesmith', '12');
$out3 = crypt('efkjanesmith', 'ef');
$out4 = crypt('bh6janesmith', 'bh');
$out5 = crypt('opjjanesmith', 'op');
$out6 = crypt('897janesmith', '89');

print "out1 = $out1 out2 = $out2 out3 = $out3 out4 = $out4 out5 = $out5 out6 =

$out6";

exit;

Well she would have been a little better off because the "SALT"
would not have been known to the hacker...remember the salt is the
first 2 digits of the password.

so 62*62 = 3844 (2 digits 62 chars) and the hacker would have to
guess up to 3844 times. Not hard to do with a script!

Conclusion:

* encrypting passwords can make it easier for hackers if you choose bad passwords.

* did you notice that the "salt" was included as the first two digits of the encrypted
password? So 3 letter passwords can be hacked by employees in 62(using only alpha-numeric)
guesses even though
encrypted; since they can look at the encrypted password and see the first 2 chars!

* the problem with "crypt" is that when a non-unique string(ex. "janesmith") is longer
than an included "unique" string (ex. "MdY") it mostly encrypts the larger portion
of the string which is not unique.

So "jane186" is far better than "janesmith186" or "186janesmith"

Try it:

#!/usr/bin/perl

print "Content-type: text/html\n\n";

$out1 = crypt('janeMdY', 'ja');
$out2 = crypt('janeabc', 'ja');
$out3 = crypt('jane456', 'ja');
$out4 = crypt('janedef', 'ja');
$out5 = crypt('janexyz', 'ja');
$out6 = crypt('jane789', 'ja');

print "out1 = $out1 out2 = $out2 out3 = $out3 out4 = $out4 out5 = $out5 out6 =

$out6";

exit;

* So like most websites say the best password is something like "bG7ei5Ma".

If you thought this was informative and maybe will save your butt one day and you'd like
to make a small donation for my reseach you can

Paypal me (webmaster at econfirmpro DOT COM) or
epassporte me (webmaster at iLLsex DOT COM)

Thanks in advance.

08-29-2006, 09:55 AM
interracialtoons Confirmed User Join Date: May 2006 Posts: 1,910	You got hacked!!! Heres the reason why...password encryption!! You got hacked because you "protected" your passwords! I discovered that the encryption of passwords make it much easier for hackers when users pick "bad" password. Look at the cgi method in the script below that is used by most, if not all, websites. Upload it to your sever and name it something.cgi and run it. Try this cgi scipt: #!/usr/bin/perl print "Content-type: text/html\n\n"; $out1 = crypt('longpassword123', 'lo'); $out2 = crypt('longpasswordabc', 'lo'); $out3 = crypt('longpassword456', 'lo'); $out4 = crypt('longpassworddef', 'lo'); $out5 = crypt('longpasswordxyz', 'lo'); $out6 = crypt('longpassword789', 'lo'); print "out1 = $out1<br>out2 = $out2<br>out3 = $out3<br>out4 = $out4<br>out5 = $out5<br>out6 = $out6"; exit; Did you see that? Perl crypt works by using a 2 digit value called the "SALT". The salt in the script below is "lo" which is the first 2 digits of the password. The salt used to encrypt the stored password must be used again to match the stored password. So either the SALT is hardcoded into the routine so its always the same or it is taken from the first 2 digits of the password. So what we put into our password routines is this: $stored = crypt($password, $password); The crypt fucntion only uses the first two digits so it doesn't matter that the salt entered is longer(ie the full password) Then to check the password we do this" $check = crypt($enteredpass, $enteredpass); if ($check eq $stored) {$let_the_user_in = "TRUE";} ** Notice that all the passwords that were entered in the script('longpassword...') matched the stored encrypted password! So let's consider a lady named Jane Smith. Jane is smart and does the following math: 0 thru 9 is 10 characters; a thru z is 26 characters; A thru Z is 26 characters;(Capitalized) for a total of 62 characters Jane knows she can make 238,328(626262) unique charaters sets from the 62 charaters if she uses a 3 character set(ex. abc, efg, 123, 45b.....) So even though her name is very common she figure it will take about 200,000 guesses at her password before anyone even gets close to figuring it out. So she makes her password this "janesmithMdY" To be clever she adds a couple of caps "M" and "Y". Now run the following cgi script: #!/usr/bin/perl print "Content-type: text/html\n\n"; $out1 = crypt('janesmithMdY', 'ja'); $out2 = crypt('janesmithabc', 'ja'); $out3 = crypt('janesmith456', 'ja'); $out4 = crypt('janesmithdef', 'ja'); $out5 = crypt('janesmithxyz', 'ja'); $out6 = crypt('janesmith789', 'ja'); print "out1 = $out1<br>out2 = $out2<br>out3 = $out3<br>out4 = $out4<br>out5 = $out5<br>out6 = $out6"; exit; OMFG!!!!!!!! Jane is wrong because instead of the hacker having to guess 200,000 times he has a choice of 238,328 passwords that match!! So he only needs to try one password from the the 238,328. But hey he doesn't know how many digits she used so he still has to do one more thing. He has to try the following passwords: janesmith janesmith1 janesmith12 janesmith123 and FRIGGIN POW!! He's in!!! Jane would have been correct if her password had not been encrypted but too bad...she lost all the money in her bank account instead. What if jane had used this "bh6janesmith"? #!/usr/bin/perl print "Content-type: text/html\n\n"; $out1 = crypt('abcjanesmith', 'ab'); $out2 = crypt('123janesmith', '12'); $out3 = crypt('efkjanesmith', 'ef'); $out4 = crypt('bh6janesmith', 'bh'); $out5 = crypt('opjjanesmith', 'op'); $out6 = crypt('897janesmith', '89'); print "out1 = $out1<br>out2 = $out2<br>out3 = $out3<br>out4 = $out4<br>out5 = $out5<br>out6 = $out6"; exit; Well she would have been a little better off because the "SALT" would not have been known to the hacker...remember the salt is the first 2 digits of the password. so 6262 = 3844 (2 digits 62 chars) and the hacker would have to guess up to 3844 times. Not hard to do with a script! Conclusion: encrypting passwords can make it easier for hackers if you choose bad passwords. * did you notice that the "salt" was included as the first two digits of the encrypted password? So 3 letter passwords can be hacked by employees in 62(using only alpha-numeric) guesses even though encrypted; since they can look at the encrypted password and see the first 2 chars! * the problem with "crypt" is that when a non-unique string(ex. "janesmith") is longer than an included "unique" string (ex. "MdY") it mostly encrypts the larger portion of the string which is not unique. So "jane186" is far better than "janesmith186" or "186janesmith" Try it: #!/usr/bin/perl print "Content-type: text/html\n\n"; $out1 = crypt('janeMdY', 'ja'); $out2 = crypt('janeabc', 'ja'); $out3 = crypt('jane456', 'ja'); $out4 = crypt('janedef', 'ja'); $out5 = crypt('janexyz', 'ja'); $out6 = crypt('jane789', 'ja'); print "out1 = $out1<br>out2 = $out2<br>out3 = $out3<br>out4 = $out4<br>out5 = $out5<br>out6 = $out6"; exit; * So like most websites say the best password is something like "bG7ei5Ma". If you thought this was informative and maybe will save your butt one day and you'd like to make a small donation for my reseach you can Paypal me (webmaster at econfirmpro DOT COM) or epassporte me (webmaster at iLLsex DOT COM) Thanks in advance. __________________ Done.