You got hacked!!! Heres the reason why...password encryption!! - Page 2 - GoFuckYourself.com

interracialtoons · 08-29-2006, 01:55 PM

Quote:

Originally Posted by borked

the man page (below) doesn't say anything, but I tested the htpasswd site I set up for yer man to crack with a 9char passwd and only the 9char passwd will work...

man crypt
ENIGMA(1) FreeBSD General Commands Manual ENIGMA(1)

NAME
enigma, crypt -- very simple file encryption

SYNOPSIS
enigma [-s] [-k] [password]
crypt [-s] [-k] [password]

DESCRIPTION
The enigma utility, also known as crypt is a very simple encryption pro-
gram, working on a ``secret-key'' basis. It operates as a filter, i.e.,
it encrypts or decrypts a stream of data from standard input, and writes
the result to standard output. Since its operation is fully symmetrical,
feeding the encrypted data stream again through the engine (using the
same secret key) will decrypt it.

There are several ways to provide the secret key to the program. By
default, the program prompts the user on the controlling terminal for the
key, using getpass(3). This is the only safe way of providing it.

Alternatively, the key can be provided as the sole command-line argument
password when starting the program. Obviously, this way the key can eas-
ily be spotted by other users running ps(1). As yet another alternative,
enigma can be given the option -k, and it will take the key from the
environment variable CrYpTkEy. While this at a first glance seems to be
more secure than the previous option, it actually isn't since environment
variables can also be examined with ps(1). Thus this option is mainly
provided for compatibility with other implementations of enigma.

When specifying the option -s, enigma modifies the encryption engine in a
way that is supposed to make it a little more secure, but incompatible
with other implementations.

Warning
The cryptographic value of enigma is rather small. This program is only
provided here for compatibility with other operating systems that also
provide an implementation (usually called crypt(1) there). For real
encryption, refer to bdes(1), openssl(1), pgp(1), or gpg(1). However,
restrictions for exporting, importing or using such tools might exist in
some countries, so those stronger programs are not being shipped as part
of the operating system by default.

ENVIRONMENT
CrYpTkEy used to obtain the secret key when option -k has been
given

EXAMPLES
man enigma | enigma > encrypted
Enter key: (XXX -- key not echoed)

This will create an encrypted form of this man page, and store it in the
file `encrypted'.

enigma XXX < encrypted

This displays the previously created file on the terminal.

SEE ALSO
bdes(1), gpg(1), openssl(1), pgp(1), ps(1), getpass(3)

HISTORY
Implementations of crypt are very common among UNIX operating systems.
This implementation has been taken from the Cryptbreakers Workbench which
is in the public domain.

FreeBSD 5.4 May 14, 2004 FreeBSD 5.4

This problem only concerns the crypt function, using another form of encryption is a differrent story. I brought this up because plenty of programs do use the crypt method to put passwords in to htpasswd file and they should switch to a direct htaccess creation like you. I assume your site is working, I didn't get to try it.

Anyway enough of this I got other stuff to do.
But it was interesting for me to actually see how bad crypt() could be with a bad password.

borked · 08-29-2006, 02:00 PM

Quote:

Originally Posted by interracialtoons

Anyway enough of this I got other stuff to do.
But it was interesting for me to actually see how bad crypt() could be with a bad password.

You haven't shown anything. You asked for someone to put up a 3-char password and you'd crack it in 1 try.

Yes, the 8-chra limit for some OSs has been shown, but so fucking what?
First you started out saying the salt added to the passwd, which was shot down sinc enoone uses standard salt. Then you said noone understands. Then you asked for a proof-of-concept 3char passwd to crack. Then you said you've had enough and you're off to bed?????

Ehm,

Thankfully, nobody hires you to programme for them.

boldy · 08-29-2006, 02:08 PM

Yep, you're on crack

interracialtoons · 08-29-2006, 02:09 PM

Quote:

Originally Posted by Phil21

borked,

yep, FreeBSD does not use standard DES crypt, which is explained in the man page. Which was basically my entire point

For systems that DO use standard DES crypt (the majority, I would assume), there is absolutely an 8 character limit. This is what the OP was running into, not some strange "salt doesn't matter" etc. issue. Just a well known, designed in, and documented character limit.

Just to re-iterate since my point seems to be entirely lost.

THE PASSWORD HASHES ARE THE SAME BECAUSE THE PASSWORD IS THE SAME.

Again.

THE PASSWORD HASHES ARE THE SAME BECAUSE THE PASSWORD IS THE SAME.

12345678 is EXACTLY THE SAME as 12345678abcdefg for standard DES crypt.

There is no security issue here, if you don't like the 8 character limit either run a different OS (FreeBSD) or simply use different a compatible but different crypt() function (yes, Apache's htpasswd can be updated, as well as perl's, whatever)

Peace,

-Phil

Well, you're right!

The limit is 8 chars.

I only got into the salt debate because someone posted that the problem could be fixed with random salt.

The only fix is to limit passwords to 8 chars or use something other than crypt()

Well, at least I discovered some really smart people in this post which made it all worth my time.

Thanks for all the replies and "battles" hehehe!

interracialtoons · 08-29-2006, 02:15 PM

Quote:

Originally Posted by borked

so you hacked the 3-char passwd yet?

If you generated the password with anything other than crypt() than I can NOT hack it.

borked · 08-29-2006, 02:20 PM

Quote:

Originally Posted by interracialtoons

Well, you're right!

The limit is 8 chars.

I only got into the salt debate because someone posted that the problem could be fixed with random salt.

The only fix is to limit passwords to 8 chars or use something other than crypt()

Well, at least I discovered some really smart people in this post which made it all worth my time.

Thanks for all the replies and "battles" hehehe!

Nope, I still don't get you.
You were the one that went on and on about the salt and how it is the first two letters of the password.

Then you said your janesmith123 janesmith321 whatever encrypted passwords were all the same. Well, for me they're not.

Then you said

Quote:

Originally Posted by interracialtoons

So "jane186" is far better than "janesmith186" or "186janesmith"

So if that's the case my 3char passwd must be a frikkin doddle. I even gave you the encrypted password - salt and all.

Where the hell did you find that bullshit text to copy and paste from?

borked · 08-29-2006, 02:24 PM

Quote:

Originally Posted by interracialtoons

If you generated the password with anything other than crypt() than I can NOT hack it.

it was generated by crypt().
The truth.
Now crack it. All of 3chars.
You said you'd do it in one try.

borked · 08-29-2006, 02:28 PM

From Netcrafts homepage as of today

Four of the 10 most reliable hosters run their sites on FreeBSD, while two use Linux, and Windows Server 2003, Windows 2000 and Solaris 8 all make one appearance.

Let me guess where you fall?

interracialtoons · 08-29-2006, 02:30 PM

Quote:

Originally Posted by borked

You haven't shown anything. You asked for someone to put up a 3-char password and you'd crack it in 1 try.

Yes, the 8-chra limit for some OSs has been shown, but so fucking what?
First you started out saying the salt added to the passwd, which was shot down sinc enoone uses standard salt. Then you said noone understands. Then you asked for a proof-of-concept 3char passwd to crack. Then you said you've had enough and you're off to bed?????

Ehm,

Thankfully, nobody hires you to programme for them.

"Thankfully, nobody hires you to programme for them"

If you've been around for a while you probably already bought one of my scripts...so pop that non-sense.

Nobody put up a link that had a 9 digit password encrypted with crypt()!
And it wasn't me who went off on a tangent about salt.
The only reason I brought up salt was to show how crypt made a password.
I said over and over again that salt was NOT the problem; yet you sound as though you think crypt() can be fixed by not using standard salt; and if that's what you still think then you didn't understand the problem.

The fix is to use a short password less than 9 characters.
Forget about salt.

But anyway thanks for posting some good stuff.

borked · 08-29-2006, 02:44 PM

Nope, it was you who kept harping on about salt in your original post. Now you're changing your stance to "any 9char passwd"

Well, I aint saying anything until you crack my piss easy 3char passd.
Again, just to quote you:

Quote:

Originally Posted by interracialtoons

So "jane186" is far better than "janesmith186" or "186janesmith"

If jane186 (7chars) is a better passwd than the other two (which even with an 8char OS crypt() limit, are effectively 8chars), then you'll have no problem cracking a 3char passwd.

I'm off to bed. You have until the morning to crack it.
Hopefully this thread will now die as it should do, kneejerker.

borked · 08-29-2006, 02:48 PM

and I have never bought a script in my life,so I doubt it!
I programme low level code. I can back-end script with my eyes closed, so why would I need to buy shitty htaccess perl scripts from you?

AgentCash · 08-29-2006, 02:53 PM

Hat's off to you. Quality post 4 sure!

borked · 08-29-2006, 03:04 PM

Well, I never said it was hard....

AgentCash · 08-29-2006, 03:09 PM

Quote:

Originally Posted by borked

Well, I never said it was hard....

I did it with pencil and paper

Daruma · 08-29-2006, 03:24 PM

borked - whats your contact info - email

interracialtoons · 08-29-2006, 06:04 PM

Quote:

Originally Posted by borked

Well, I never said it was hard....

I finshed dinner so now:

Like I said; I only need one guess for a 3 char encrypted password.

Go here and create passwords or use crypt($passwd, $salt).
http://www.htaccesstools.com/htpasswd-generator/

Run script:

#!/usr/bin/perl

print "Content-type: text/html\n\n";

$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;

$passencrypted = "QVK7qHfRnSw3M";
$salt = substr($passencrypted, 0, 2);
print "salt = $salt ";

$a = 0;
foreach (@one) {

if ($a >= 80) {

print "abort ";
exit;
}
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {

$pw = "$one[$a]$two[$b]$three[$c]";

$check = crypt($pw, $salt);
if ($check eq $passencrypted) {
print "$pw - is a possible password ";

}
$c++;
}
$b++;
}

$a++;
}

print "Ended OK";

exit;

So much for encryption!

interracialtoons · 08-29-2006, 06:07 PM

PS: That little hack I just wrote for you assumes passwords without special characters...I could easily add all special charaters to the alphadata string.

And, I could do the full eight charaters but not on MY SERVER!
Too much resources.

AgentCash · 08-29-2006, 06:13 PM

Wow, you code like you draw dude!

s9ann0 · 08-29-2006, 06:21 PM

I didn't really go into it but I think I get what you are saying - basically people are using the password as salt and they should use a random salt?

generally i think people are a bit stupid about security in this industry

interracialtoons · 08-29-2006, 06:41 PM

Quote:

Originally Posted by dcortez

Hey sunshine:

crypt PLAINTEXT,SALT

The same PLAINTEXT and SALT will always return the same string, but there is no (known) way to get the original PLAINTEXT from the hash.

BRUUUUUUUUUUHAHAHAHAHAHAHAHAHAHAHAHAHA!!

HAHHAHAHAHAHAHAHAH!!!

*sigh*

Theres no know way...hehehehe!

Unless you can write 20 lines of FUCKING CODE!!!

BRUUUUUUUUUUHAHAHAHAHAHHAHAHAHAHA!

Lets see; please count these lines:

$alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ";
@one = split(//, $alphadata);
@two = @one;
@three = @one;
$passencrypted = "QVK7qHfRnSw3M";
$salt = substr($passencrypted, 0, 2);
print "salt = $salt ";
$a = 0;
foreach (@one) {
$b=0;
foreach(@two) {
$c = 0;
foreach (@three) {
$pw = "$one[$a]$two[$b]$three[$c]";
$check = crypt($pw, $salt);
if ($check eq $passencrypted) {print "$pw - is a possible password ";}
$c++;}
$b++;}

$a++;}
print "Ended OK";

hehehehehe....hohohohoh....HAHAHAHAHAHAHA!

*sigh*

interracialtoons · 08-30-2006, 07:53 AM

Where my dogs at?

ServerGenius · 08-30-2006, 08:09 AM

perl is sooooo 80's

studiocritic · 08-30-2006, 08:09 AM

this thread makes me giggle.

drjones · 08-30-2006, 08:21 AM

Quote:

Originally Posted by ServerGenius

perl is sooooo 80's

Well judging by all the modules that continue to pour into CPAN, perl is still very much in style;)

extreme · 08-30-2006, 08:25 AM

Or use a salt like: $1$<8 random chars>

Then you'll get an MD5 encrypted password, which is much better than crypt. Don't ever use the password as the salt value, it has to be random chars.

interracialtoons · 08-30-2006, 08:38 AM

Quote:

Originally Posted by ServerGenius

perl is sooooo 80's

Yeah, the 80's...back when programmers went to college and actually had brains before trying to run a business.

No matter how much "new" shit comes out I have yet to find something that could not be done in perl already.

ASP = SSI with perl cgi
Java = Object oriented perl (Java does come with easy tools though)
PHP = If you can't learn perl
C, C++ = Perl without the cool shit for text munipulation
...etc...

I think the reason webmasters sought solutions other than perl is that they didn't have good knowlege of libwww

libwww contains tons of modules that allow perl to do, well, MAGIC!
Any new thing done on the internet can be programed into a perl module and added to libwww. The modules can be written in differrent languages also, with C++ being one of the most used.

Libwww allows perl to grow as a language without actually changing perl.
This is not true with most of the "new stuff".

If development of libwww continues in a positive direction then I suspect that in the future webmasters will migrate back to it as they will find that they can learn 5 new languages to get the project done or they can just use perl with all it's libraries.

The only draw back I see for perl is client-side applications. The client has to make an http request for perl. But Javascript can handle a lot of that and SSI can use perl to deterime what javascript to send the client.

interracialtoons · 08-30-2006, 08:51 AM

Quote:

Originally Posted by extreme

Or use a salt like: $1$<8 random chars>

Then you'll get an MD5 encrypted password, which is much better than crypt. Don't ever use the password as the salt value, it has to be random chars.

You should read my post above where I "UNENCRYPT" your password no matter what salt you use. Run the code...than talk to me.

AgentCash · 08-30-2006, 08:59 AM

Quote:

Originally Posted by interracialtoons

You should read my post above where I "UNENCRYPT" your password no matter what salt you use. Run the code...than talk to me.

That's not 'unecrypting', that's cracking. If someone can read your crypted passwords, you have bigger problems than an 8 character limit.

darksoul · 08-30-2006, 09:10 AM

whats this thread about ?
8chr crypt passwords had been crackable since ages

interracialtoons · 08-30-2006, 09:13 AM

Quote:

Originally Posted by AgentCash

That's not 'unecrypting', that's cracking. If someone can read your crypted passwords, you have bigger problems than an 8 character limit.

All of your employees in the computer programming department can read your customers encrypted passwords!

All your server admins for your hosted sites can read your surfers encrypted passwords.

When one of the above gets fired and decides to fuck up all you member/customer accounts, you will then understand why I brought this issue up.

That's the only reason they are encrypted.

The hackers and surfers have to "break in" to read these files so like you said, if they can read the files you have bigger problems. But that's not the issue.

The issue is that there is a beliefe that the crypt files can not be used to return the original password. I have shown this to be a myth.

PS: "unencrypting" is a subset of "cracking".

interracialtoons · 08-30-2006, 09:19 AM

Quote:

Originally Posted by darksoul

whats this thread about ?
8chr crypt passwords had been crackable since ages

Yeah, and that's why this post is relevant because people keep fucking using them!

darksoul-logic = "Don't tell me about cigarettes causing cancer; that was discovered years ago...(begins to chain smoke)".

darksoul · 08-30-2006, 09:27 AM

Quote:

Originally Posted by interracialtoons

darksoul-logic = "Don't tell me about cigarettes causing cancer; that was discovered years ago...(begins to chain smoke)".

you damn right.
I'm already aware of the issue so I don't need to hear your preaching about.

See my point ? Everyone knows about it, move along.

mrkris · 08-30-2006, 09:30 AM

Jesus christ what fucking shitstorm did i walk into.

interracialtoons · 08-30-2006, 09:39 AM

Quote:

Originally Posted by darksoul

you damn right.
I'm already aware of the issue so I don't need to hear your preaching about.

See my point ? Everyone knows about it, move along.

Oh, you could here me typing this thread and had to come here to tell me to keep it down so you could concentrate.

BTW: There is no such thing as a encrytped password created by a known/accesible function that cannot be unencrypted!
There are only passwords that require too much processing to be worth anyone's time(except russians spys).

For example the 8char password could take up to 6,095,689,385,410,816 iterations of a subroutine to unencrypt. And that would requires a dedicated computer that could run for anywhere to 2 months to 2 years before giving the result. Thus the requirement of many secure sites that you change your password every 90 days. By the time the computer has figured out your encrytped password you have already changed it to something else.

interracialtoons · 08-30-2006, 09:43 AM

Quote:

Originally Posted by mrkris

Jesus christ what fucking shitstorm did i walk into.

darksoul · 08-30-2006, 09:49 AM

Quote:

Originally Posted by interracialtoons

For example the 8char password could take up to 6,095,689,385,410,816 iterations of a subroutine to unencrypt. And that would requires a dedicated computer that could run for anywhere to 2 months to 2 years

shows how much you know.
http://www.antsight.com/zsl/rainbowcrack/

you can STFU now

interracialtoons · 08-30-2006, 09:56 AM

Quote:

Originally Posted by darksoul

shows how much you know.
http://www.antsight.com/zsl/rainbowcrack/

you can STFU now

Show how good you can read!

I said "up to" as in, the worst case scenario would require that much processing.

You must be one of those dudes who reads the want ad saying "earn up to $50,000" and you're stupid enough to think that's what YOU will make.

interracialtoons · 08-30-2006, 10:03 AM

Quote:

Originally Posted by darksoul

shows how much you know.
http://www.antsight.com/zsl/rainbowcrack/

you can STFU now

You should read the shit you post before posting it

Quote:

Originally Posted by antsight.com

time-memory trade-off cracker can be hundreds of times faster than a brute force cracker, with the help of precomputed tables.

It's faster only after doing all the shit I said in advance and storing the results. What a waste of fucking time for you to post such obvious bullshit.
Everything's faster when it's already done before you fucking start.

darksoul · 08-30-2006, 10:04 AM

Quote:

Originally Posted by interracialtoons

Show how good you can read!

I said "up to" as in, the worst case scenario would require that much processing.

You must be one of those dudes who reads the want ad saying "earn up to $50,000" and you're stupid enough to think that's what YOU will make.

dude, shut the fuck up. You were talking about bruteforce

Quote:

For example the 8char password could take up to 6,095,689,385,410,816 iterations of a subroutine to unencrypt.

how much lower do you want to go ?

borked · 08-30-2006, 10:04 AM

Here we go again

The easy crack of DES is all assuming you have access to the encrypted password file to compare. If you don't, then you have to hope to god the site to hack doesn't enforce some limit on the number of tries.

And then after your 65 billion guesses, you get in. To where, an adult pay site to see some booteeee.

May have been easier to just pay the 1-month fee.

How many sites use htaccess to give free run of the server?

darksoul · 08-30-2006, 10:05 AM

Quote:

Originally Posted by interracialtoons

It's faster only after doing all the shit I said in advance and storing the results. What a waste of fucking time for you to post such obvious bullshit.
Everything's faster when it's already done before you fucking start.

haha, so you finnaly read what a rainbow table is

interracialtoons · 08-30-2006, 10:07 AM

Quote:

Originally Posted by antsight.com

If you are going to generate a set of tables, make sure to calculate the key space before you start. For example, tables with keyspace 7555858447479 (69^1 + 69^2 + 69^3 + 69^4 + 69^5 + 69^6 + 69^7) needs several years to generate on single PC.

I mean really. Posting shit that says the exact shit I just posted. WTF!

darksoul · 08-30-2006, 10:09 AM

Quote:

Originally Posted by interracialtoons

I said "up to"

if you read what you wrote (lol)
you said between 2 months and 2 years
using rainbow tables with take a few minutes and nowhere near 2 months.
make up your mind

borked · 08-30-2006, 10:10 AM

Quote:

Originally Posted by darksoul

haha, so you finnaly read what a rainbow table is

but they don't work with random salts

darksoul · 08-30-2006, 10:12 AM

Quote:

Originally Posted by borked

but they don't work with random salts

but you already have the salt.

interracialtoons · 08-30-2006, 10:13 AM

Quote:

Originally Posted by borked

Here we go again

The easy crack of DES is all assuming you have access to the encrypted password file to compare. If you don't, then you have to hope to god the site to hack doesn't enforce some limit on the number of tries.

And then after your 65 billion guesses, you get in. To where, an adult pay site to see some booteeee.

May have been easier to just pay the 1-month fee.

How many sites use htaccess to give free run of the server?

Ahhhhh! Put a sock in it!

I had said that a 3char encrypted (using crypt() )password was bad and could be cracked in no time by someone who saw the encrypted password(like a employee of the site).

That's all I said. The you go off into space and make a big deal about it.

Did you run the last fucking code I posted?

Go ahead and try your 3char encryption in my code and it will undo that shit in less than 3 secs!

mrkris · 08-30-2006, 10:13 AM

y'all need to find jesus.

borked · 08-30-2006, 10:14 AM

Quote:

Originally Posted by darksoul

but you already have the salt.

if you have access to the encrypted passwd file, yeah. but then wouldn't the server be already hacked?

darksoul · 08-30-2006, 10:16 AM

Quote:

Originally Posted by borked

if you have access to the encrypted passwd file, yeah. but then wouldn't the server be already hacked?

thats the reason this thread is useless

borked · 08-30-2006, 10:17 AM

anyway, I said random salts.
rainbow tables are lookup tables. No good if the salt is random - the encrypted pass will change each time

08-29-2006, 02:08 PM	#53
boldy Macdaddy coder Industry Role: Join Date: Feb 2002 Location: MacDaddy pimp coder Posts: 2,806	Yep, you're on crack __________________ MacDaddy Coder.

08-29-2006, 02:28 PM	#58
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	From Netcrafts homepage as of today Four of the 10 most reliable hosters run their sites on FreeBSD, while two use Linux, and Windows Server 2003, Windows 2000 and Solaris 8 all make one appearance. Let me guess where you fall? __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202

08-29-2006, 02:48 PM	#61
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	and I have never bought a script in my life,so I doubt it! I programme low level code. I can back-end script with my eyes closed, so why would I need to buy shitty htaccess perl scripts from you? __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202

08-29-2006, 03:04 PM	#63
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	Well, I never said it was hard.... __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202

08-29-2006, 03:24 PM	#65
Daruma Confirmed User Join Date: Nov 2002 Location: PandaLand™ Posts: 3,494	borked - whats your contact info - email __________________ RIP TD

08-29-2006, 02:53 PM	#62
AgentCash Confirmed User Join Date: Feb 2002 Posts: 720	Hat's off to you. Quality post 4 sure!

08-29-2006, 06:07 PM	#67
interracialtoons Confirmed User Join Date: May 2006 Posts: 1,910	PS: That little hack I just wrote for you assumes passwords without special characters...I could easily add all special charaters to the alphadata string. And, I could do the full eight charaters but not on MY SERVER! Too much resources.

08-29-2006, 06:13 PM	#68
AgentCash Confirmed User Join Date: Feb 2002 Posts: 720	Wow, you code like you draw dude!

08-29-2006, 06:21 PM	#69
s9ann0 Confirmed User Join Date: Sep 2001 Location: Boston Posts: 4,873	I didn't really go into it but I think I get what you are saying - basically people are using the password as salt and they should use a random salt? generally i think people are a bit stupid about security in this industry

08-30-2006, 07:53 AM	#71
interracialtoons Confirmed User Join Date: May 2006 Posts: 1,910	Where my dogs at?

08-30-2006, 08:09 AM	#72
ServerGenius Confirmed User Join Date: Feb 2002 Location: Amsterdam Posts: 9,377	perl is sooooo 80's __________________ \| http://www.sinnerscash.com/ \| ICQ: 370820 \| Skype: SinnersCash \| AdultWhosWho \|

08-30-2006, 08:09 AM	#73
studiocritic Confirmed User Join Date: Jun 2005 Location: Irvine, CA Posts: 2,442	this thread makes me giggle. __________________ 254342256

08-30-2006, 08:25 AM	#75
extreme Confirmed User Industry Role: Join Date: Oct 2002 Location: lalaland Posts: 2,120	Or use a salt like: $1$<8 random chars> Then you'll get an MD5 encrypted password, which is much better than crypt. Don't ever use the password as the salt value, it has to be random chars. __________________ Browse and find new paysites with screenshot-preview Export FHGs/FLVs/Paysites by JSON, XML, CSV and Text Find FHGs/FLVs/Paysites from any given Category or Search-query

08-30-2006, 09:10 AM	#79
darksoul Confirmed User Join Date: Apr 2002 Location: /root/ Posts: 4,997	whats this thread about ? 8chr crypt passwords had been crackable since ages __________________ 1337 5y54\|)m1n: 157717888 BM-2cUBw4B2fgiYAfjkE7JvWaJMiUXD96n9tN Cambooth

08-30-2006, 09:30 AM	#83
mrkris Confirmed User Join Date: May 2005 Posts: 2,737	Jesus christ what fucking shitstorm did i walk into. __________________ PHP-MySQL-Rails \| ICQ: 342500546

08-30-2006, 10:04 AM	#90
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	Here we go again The easy crack of DES is all assuming you have access to the encrypted password file to compare. If you don't, then you have to hope to god the site to hack doesn't enforce some limit on the number of tries. And then after your 65 billion guesses, you get in. To where, an adult pay site to see some booteeee. May have been easier to just pay the 1-month fee. How many sites use htaccess to give free run of the server? __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202

08-30-2006, 10:13 AM	#97
mrkris Confirmed User Join Date: May 2005 Posts: 2,737	y'all need to find jesus. __________________ PHP-MySQL-Rails \| ICQ: 342500546

08-30-2006, 10:17 AM	#100
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	anyway, I said random salts. rainbow tables are lookup tables. No good if the salt is random - the encrypted pass will change each time __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202