Originally Posted by
Steph3n
MD5 with SALT is useless, it is NOT a one way hash and can easily be defeated
I know I may be nitpicking here. MD5 is a oneway hash algorithm in the way that it is not possible to reconstruct the original message (ie. password) from the hash value.
But, as I pointed out earlier, that is not necessary for a successful attack. Once the password-file (which has salted hash values, not cleartext) is obtained, using brute force will turn up every password of 6 characters or less in a few hours. Dictionary attacks will reveal most passwords that are common names or everyday words.
MD5 specific attacks will compromise many secure passwords by finding a different message that, when salted, will generate the same hash as the unknown password - thus potentially compromising all/most passwords.
as it has on other vB powered sites of major size, if you want details, ASK. I am a member of another site that had similar things happen(not an Internet Brands owned site), they tried to cover it up as well. In the end they ate some humble pie, told the real facts, and secured their systems and firewalls again from the start with more security in mind. In addition they use a proxyshield at times when DDOS attacks and brute force attempts happen that aid in loading the site for the legit users.
The hackers responded by posting DB dumps of email addresses, passwords, and other sensitive info on rapidshare and other sites, not once but THREE times over two weeks. (updated to latest passwords and info each time)
That would indicate to me that more is wrong than just the salted password hashes being compromised
once. It would indicate a system that is still compromised. If malicious code of some kind "listens" in to new passwords as they are entered, all salting and hashing is futile.
Also, vulnerabilities might exist in the vB software that promote security breaches - but that is just idle speculation, as I don't know the software.
They too had MD5 with salt, but it is outdated and not a secure means anymore. You are giving a false sense of security in this reply.
Yes, as I pointed out as well. Too many corporations still lack a capable security administrator. Pointing out security of their system by quoting MD5 shows a lack of understanding, unfortunately.