Is there anything stopping the owners of this site from taking our passwords?

This is an archive of the mabination.com forums which were active from 2010 to 2018. You can not register, post or otherwise interact with the site other than browsing the content for historical purposes. The content is provided as-is, from the moment of the last backup taken of the database in 2019. Image and video embeds are disabled on purpose and represented textually since most of those links are dead.

To view other archive projects go to https://archives.mabination.com

Xemnas wrote on 2012-03-21 20:27

I honestly doubt anyone high up would even try something like stealing passwords (yet...),and all my passwords are randomized letters, numbers, or a combination of both. I can remember any type without writing them down, you just need to concentrate or learn to associate codes with certain things so it's burned into your memory.
TA wrote on 2012-03-21 20:30

I've answered this before, so I'll just leave my post here:

Quote from TA;719951:
The only thing stored "encrypted" are passwords, and even we cannot access those. We can change them, but we cannot view what one is, because it simply does not exist within the server in a readable format.

vBulletin uses MD5 and SHA1, but you should keep in mind that MD5 and SHA1 are not encryption algorithms, but are hashing algorithms. As such, they cannot be decrypted as the hash does not include the original data.

Passwords are stored in the following format:
[code]$password_hash = md5(md5($password_text) . $user_salt);[/code]

tl;dr - nobody can get your password. They're hashed, not encrypted. They can't be decrypted. It's not possible.
Osayidan wrote on 2012-03-21 21:59

Can't get them like TA showed, and I suggest you make yourself one godly password that you remember as if your life depends on it, and then get keepass http://keepass.info/
Yoorah wrote on 2012-03-21 22:04

You should not re-use your passwords. Use unique passwords and keep them written down on paper somewhere. Or use one of those automated password management programs, like KeePass or whatever's more popular these days.

As TA said, by default, this forum software does not store your passwords in the database. Instead, it stores your password's hash, which in simple terms is like a signature of your password. Every time you enter the password into the system for a login, the system converts it to its signature and checks if it matches the signature stored in the site's database. It doesn't compare actual passwords. :3 This is why the system cannot email you your password if you forget it.

That is, if you look at it with a limited understanding of computer security. In practice, you can reverse a hash/"signature" back into the original password if you have the right resources. Proper salting does make this less feasible, but none the less, it's quite possible to get your passwords if an experienced hacker really wanted to do so.

Furthermore, the forum software could be set up to not store passwords as hashes, but rather store them in their original, plaintext form.

Of course, Osayidan wouldn't do something like that, but it's still something you need to be aware of anyway. So like I said, don't re-use passwords.
TA wrote on 2012-03-21 22:10

I use Password Safe, personally.

Also, you can use this generator: http://rumkin.com/tools/password/pass_gen.php

Try a string like so:
[code]abcdefghijkmnopqrstuvwxyzACDEFGHJKLMNPQRTUVWXYZ234679!\"?$%^&*()_-+={}[]:;@'~#|<>.,/[/code]

Keep it at like 18-22 characters or so.

Some examples (don't use these):
[SIZE="1"](ATi"u!jjzH&]NQ_\Xu>Q|
xJKhy+K3VU|X=-&);;ddgr
_Xd{cx@q{hsvJ^??Xo2Zo,
PujTUte!_o3V*!hDH"/&&Z
hvg*yd^bgxE~_d9rFd3Tjy
NCX$/?4Li|v_!t$E)|?P)s
eAjuQ)MmLQ'M:pt#$7dZVz[/SIZE]

If you want to make it more complex, you can throw in a few alt codes and it makes it orders of magnitude harder to brute force. Every character you add also exponentially increases the difficulty of cracking it.

edit: Also, use a different password for everything. Use a different e-mail for important things. You can route all of the e-mails to a central e-mail so you don't have to check all of them.
Cow wrote on 2012-03-22 01:29

The passwords are encrypted. That's why whenever you register, the password box is always the dots or '*'
Odin wrote on 2012-03-23 02:45

Quote from Splatulated;815015:
i use the same password for a large chunk of everythign i do .-.

They can indeed if they wanted to badly enough.

However if this forum is constructed in any sane manner, the passwords are stored in an hashed form. They would have to read out the hashed data from the main database, and then try to crack it to get the actual password back using methods similar to how people's Mabinogi accounts have been getting hacked so badly lately.

It would take a lot more effort than it would be worth I think, unless you happen to be protecting a few hundred thousand dollars in your bank account with the same password.
Malogg wrote on 2012-03-26 08:23

Protip: NEVER check the "Remember password" box. That's the easiest way to forget your password.
Elena wrote on 2012-03-26 17:34

I've never forgotten a password after checking the box. xD
Cannibal wrote on 2012-03-26 17:42

Yeah, I have the box checked all the time, and I still remember my password.

Of course, I've been here almost 2 years...
Elena wrote on 2012-03-26 18:25

Yeah...Only time I forget a password is when I visit the site like once a year.
Milk wrote on 2012-03-26 21:47

I have a pretty insane password I use.
Its pretty much muscle memory now but i know what and why its in that order in specific.
For social sites I use a pretty simple password but i still feel like id be pretty hard to guess.
Elena wrote on 2012-03-27 00:44

My password for the important things is somewhat short but incredibly nonsensical. For social sites and things like that it's normal words and a number.

« First ‹ Prev 1 2