Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
changed, it also gave me a chance to change an extremely outdated email to an extremely temporary one. 
MD5 isn't encryption, it's a hashing algorithm. They're designed to be not reversible. Once you have the hashes though it's simple to use a word list and a simple algorithm to determine what the original passwords were for any account using an insecure password (which as anyone who knows anything about your average internet password knows, it isn't too rare...).
wrong direction
It's not "encryption".
And the big issue is mostly how slow it is. Because with hashing algorithms used for password protection, you want it to be s-l-o-w. Of course it must have various other attributes but, for passwords, speed is not your friend.
It's not "encryption".
And the big issue is mostly how slow it is. Because with hashing algorithms used for password protection, you want it to be s-l-o-w. Of course it must have various other attributes but, for passwords, speed is not your friend.
PSA: Password managers like 1Password and iCloud Keychain are definitely something everyone should look into. These types of leaks are never fun, but you'll rest easier knowing that all of your logins are randomly generated and unique.
Definitely. Just took just a couple of seconds for me with iCloud keychain generator.
Hopefully some of the "shoot first, ask questions later" moderators who love to suspend users for uncalled for reasons will stop being cocky and start worrying about truly serious aspects such as the security of our login credentials.
And of course, I can only second the question above. Why?
Among other things. Also appending random characters, substituting letters with numbers and symbols (as is common in many passwords), appending dates/locations, etc. There's even this guy who parsed Twitter for words and made a massive wordlist out of it. Hacking has come quite far, insecure passwords are still quite common, and MD5 is quite weak. Like Arn said, consider your password hacked.
An informative post by rmwebs that I'll put here for more exposure.
Seriously, you don't need to lecture me about password hashing and salting - I do it for a living
Whilst you're correct that salting the raw password string before hashing it does add a (moderate) level of security, with MD5 and SHA1 that's nullified by the fact that the strings can be reversed.
As an example lets say you have:
Password: My4ws0meP455W0Rd!
Salt: 5Vu9.<emDF6k$&
You combine it: My4ws0meP455W0Rd!5Vu9.<emDF6k$&
And you then MD5 it to get: 6ff01f01a2b090ce34acf1fbc28d04cd
Now that's in the database as your password.
See the big flaw? You've added no security at all really. Because MD5 and SHA1 take seconds to decode, you can reverse the MD5 hash and you'll get the combined string back. Then because vB stores a raw copy of the salt, all they have to do is strip off that salt string and hey presto, they have your password.
There's a reason nobody uses MD5 or SHA1 anymore.
Modern systems use Bcrypt based hashing, and in some cases combine that with an RSA Public/Private key system or an AES based initialisation vector system - this makes passwords a LOT more secure as there is no way of knowing the vector. Currently it's the strongest method of encryption, and when its done on top of a hashing algorithm will mean an extreme level of security.
You should browse around Stackoverflow at the cryptography guides.
P.S - there is EVERYTHING wrong with using MD5 hashes, you never, ever, ever use MD5 or SHA1 for passwords, no matter how many times you iterate over the string, or how many times you salt it. It will always be possible to decode it very fast.
Moderators do not have access to or administer the security of the site or login credentials. We also do not have access to the user password databases. That said, we still moderate to the best of our ability according the the rules of the forum.
They use something called a rainbow table.
http://en.wikipedia.org/wiki/Rainbow_table
To break the salt the VB uses they'll look for people who use 'password' or 12345 as their password (the reason being lots of people will use them). This will let them find out what the salt (the bit that's added into the hash) is. Once they've done that, they can go through and reverse engineer the passwords.