It's a big site with, no doubt, a gold mine of email/password combinations to try vs. other services. Maybe the password storage was secure, but probably not. Maybe a few of those users were using secure one-off passwords, but realistically most weren't.
The hash iterations are due to vBulletin's life span and being a product. They had md5 hashed passwords. Then they realized they have to salt them. So instead of adding the the salt to the password then hashing it, they decided to add the salt to the hash so they could salt every password without having to wait to get the original password.
The point was more that two iterations of MD5 isn't nearly slow enough. This site claims 5.6G/s on an ATI 5970 (~$400US) card: http://www.golubev.com/hashgpu.htm
So for a 2-iteration password cracker, that's enough to search almost a 48 bit space of passwords in a day. That's enough to check every possible ASCII password of 7 characters or less, and a good heuristic search will probably get you much more than that.
Does the repeated MD5 protect it from the common MD5 attacks? (I recall there being something especially dangerous about just md5($salt . $pass), but I forget the details - Length Extension attack maybe?)
Worth noting this has nothing to do with any official Android website, nor is it in any way related to google. It's just a community website made by android fans for android fans.
The HN title should be changed to Phandroid to minimize confusion. Hackers will be keen enough to infer what the name means. It will also stop any rumors from people that just read headlines and think Google got hacked.
I'd love to know what the security experts here think.
Oh goody! Another million credentials to refine my password dictionary!
If it was a known vulnerability there is nothing to learn but "patch your shit". But if you want some advice, the only thing you can learn from somebody exploiting a web application (assuming the hole was in vBulletin, which we have no idea) is that you can't trust the security of web applications. Do all the general system-hardening stuff that nobody ever does, install a webapp firewall, and pray.
"PHP" bulletin boards are the largest there is, VB is the most well known forum software there is... It has nothing to do with PHP, you can exploit any language.
In all fairness, they appear to have handled this incredibly well and have been very informative. Which is much more than can be said for the breaches in most other cases. And at least the passwords were hashed (although how well, they don't really say -- I guess that would be part of the vBulletin package?)
21 comments
[ 3.0 ms ] story [ 54.6 ms ] threadSo for a 2-iteration password cracker, that's enough to search almost a 48 bit space of passwords in a day. That's enough to check every possible ASCII password of 7 characters or less, and a good heuristic search will probably get you much more than that.
> If you still want to do it by steam, for a new user you just need to generate a 3 character salt randomly ...
I can't see the code example, but assuming char is 8 bits (which isn't unreasonable for ascii), that's at best, 16M unique salts.
Server setting needed hardening?
Software needed updating and was vulnerable?
vBulletin is a well used and documented lice of code. I'd love to know what the security experts here think.
Oh goody! Another million credentials to refine my password dictionary!
If it was a known vulnerability there is nothing to learn but "patch your shit". But if you want some advice, the only thing you can learn from somebody exploiting a web application (assuming the hole was in vBulletin, which we have no idea) is that you can't trust the security of web applications. Do all the general system-hardening stuff that nobody ever does, install a webapp firewall, and pray.
(sorry, that was terrible).