Thread: HOw can a password site post 400 of my passwords?
View Single Post
Old 12-31-2007, 01:59 PM  
raymor
Confirmed User
 
Join Date: Oct 2002
Posts: 3,745
loco12, I think we got an email from you and Ali is responding right now.
In summary, any script anywhere on the server could be exploited by a
hacker to retrieve your password list. PHP scripts tend to be particularly
vulnerable. In brief, what you'll need to do is a standard security check
getting rid of any old, unused scripts or scripts that shouldn't be there at
all, then check for security updates on any scripts that you contniue to use.
The idea is to get rid of any means the cracker may have of getting the
password file. This is seperate from any protection you might use such as
Strongbox, Password Sentry, Frog, etc. These systems will alert you to the
problem, but they can't patch up other scripts elsewhere on the server that
may allow an attacker to get the file.

Secondly, we'll look at the encrpytion on the password file so that even if a
cracker DOES get it, it does them no good. justsexxx brought this topic up:

Quote:
Originally Posted by justsexxx View Post
Just curious, the passwords are encrypted. Is there a way to 'decrypt' them?
Yes, it's incredibly easy to decrypt the old DES encryption that most people use.
It takes only a few seconds to start getting working passwords. That's why we
strongly recommend modern strong encryption and provide you the tools to do
that. This is of course where the people suggesting Phantom Frog have it totally
backwards - in it's recommended configuration using strong encryption, a
Strongbox password file is several million times harder to crack than a
standard Phantom Frog installation. What would take a cracker 14 seconds
with Phantom Frog's normal install would take 181 years with ours.



Quote:
Originally Posted by mrwilson View Post
Strongbox can be easily bruteforced using a proxy list and wordlist and many of the bruteforce tools available.

instead of usernames you could perhaps use emails?
or make the username and password longer with #'s and other characters.

Phantomfrog is also recommended...
Wilson, you like to spout your mouth off based on some personal feelings you
have against someone involved with Strongbox, but despite our offer of a
$10,000 reward if you could ever brute force a Strongbox site you don't
come up with the goods. Why is it that you talk so much trash but can't back
it up even when we offer you $10,000 to do so? Perhaps because you have
no idea what you're talking about and just like to make yourself look stupid?
__________________
For historical display only. This information is not current:
support@bettercgi.com ICQ 7208627
Strongbox - The next generation in site security
Throttlebox - The next generation in bandwidth control
Clonebox - Backup and disaster recovery on steroids
raymor is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote