Is Forum's Security Strong enough? (Page 2)

+suomynona

Sep 4, 2011

+suomynona

Join Date: Jan 2007

Sep 4, 2011

Because it wasn't a brute force attack, and it wasn't an attack against the database.

Squad Squad Squad lead?
The standardization of Toribash Squad roles may have gone too far!

Quote

Shmevin

Sep 4, 2011

Shmevin

Degenerate Member

Join Date: Sep 2009

Sep 4, 2011

The only thing I would suggest is captcha to stop people from trying to login too many times. Ive seen way too many instances of password hacking programs and I dont believe Toribash has protection against it.

Even though there isnt any protection against that I still believe Toribash has good enough protection to get the account back to the origional owner.

[SIGPIC][/SIGPIC]

Quote

PLACEH0LDER

Sep 4, 2011

PLACEH0LDER

Member

Join Date: Aug 2011

Sep 4, 2011

Originally Posted by suomynona

Because it wasn't a brute force attack, and it wasn't an attack against the database.

Ah.

Originally Posted by Shmevin

The only thing I would suggest is captcha to stop people from trying to login too many times. Ive seen way too many instances of password hacking programs and I dont believe Toribash has protection against it.

Even though there isnt any protection against that I still believe Toribash has good enough protection to get the account back to the origional owner.

There's already a limit on number of wrong logins allowed.

Hi I'm Ravenger/brorave.
I was SMod before and then I got perma-banned.

Quote

Spartan094

Sep 5, 2011

Spartan094

I've never been hacked,
I didn't believe in
password security
until I got a free usertitle
from it!

Join Date: Oct 2007

Sep 5, 2011

He means if you get a keylogger on your system, then it'd be just a waiting game. Once you typed in your username and password, the 'hacker' now has your username and password.

Get it?

<Crooked> I'd say spartan, cause if he's tough enough to digest ungodly amounts of alcohol he clearly has the best body

Quote

Gorman

Sep 5, 2011

Gorman

Elitist

Join Date: Aug 2008

Sep 5, 2011

Lol brute force...

What is this? The 90s?

Dictionary attacks are way more common. Besides, I heard you are using MD5, so rainbow tables are probably more efficient for large volumes.

Though since you said "reasonable", then I assume you are salting too, so rainbow tables would be slow...

Quote

PLACEH0LDER

Sep 5, 2011

PLACEH0LDER

Member

Join Date: Aug 2011

Sep 5, 2011

Originally Posted by Spartan094

He means if you get a keylogger on your system, then it'd be just a waiting game. Once you typed in your username and password, the 'hacker' now has your username and password.

Get it?

Wat.

The only thing I would suggest is captcha to stop people from trying to login too many times.

That's what I was replying to.

Plus, CAPTCHA wouldn't do dick to stop keyloggers.

Originally Posted by Gorman

Lol brute force...

What is this? The 90s?

Dictionary attacks are way more common. Besides, I heard you are using MD5, so rainbow tables are probably more efficient for large volumes.

Though since you said "reasonable", then I assume you are salting too, so rainbow tables would be slow...

Brute forcing one MD5 doesn't take an un-imaginable amount of time, even salted. I'll pull up hashcat or a similar program if you want me to.

Last edited by PLACEH0LDER; Sep 5, 2011 at 06:20 PM.

Hi I'm Ravenger/brorave.
I was SMod before and then I got perma-banned.

Quote

Hyde

Sep 5, 2011

Hyde

Jupiter's Cock

Join Date: Mar 2008

Sep 5, 2011

From what I know, cracking passwords doesn't have to generally be an outright dictionary attack. It only has to be a clever way of tricking users into unknowingly presenting you with the password. Rave, you of all people should know how stupid people are and how easily you can get an idiots password.

What I think toribash should have is a group of people(maybe paid, who knows) who work at finding exploits that someone could use to gain access to other users accounts, and reporting them/fixing them.

Either that, or a pin on every account that is required if a user logs in from a different IP address, which is simpler to place into action, and is relatively safe(letters/numbers/other characters instead of only numbers).

Hoss.

Quote

Gorman

Sep 6, 2011

Gorman

Elitist

Join Date: Aug 2008

Sep 6, 2011

Originally Posted by PLACEH0LDER

Brute forcing one MD5 doesn't take an un-imaginable amount of time, even salted. I'll pull up hashcat or a similar program if you want me to.

Not un-imaginable, but comparing salted and unsalted, the time per account would be orders of magnitude more with salted, since you have to recompile the tables each time.

No need to prove it, if we are talking about just 1 MD5, then of course there is no difference. But if we are talking about grabbing as many as we can, then unsalted is far weaker since we can check them with 1 table. (I did say "large volumes" after all)

When I see you, my heart goes DOKI⑨DOKI

Fish: "Gorman has been chosen for admin. After a lengthy discussion we've all decided that Gorman is the best choice for the next admin."

Quote

PLACEH0LDER

Sep 9, 2011

PLACEH0LDER

Member

Join Date: Aug 2011

Sep 9, 2011

Originally Posted by Hyde

From what I know, cracking passwords doesn't have to generally be an outright dictionary attack. It only has to be a clever way of tricking users into unknowingly presenting you with the password. Rave, you of all people should know how stupid people are and how easily you can get an idiots password.

What I think toribash should have is a group of people(maybe paid, who knows) who work at finding exploits that someone could use to gain access to other users accounts, and reporting them/fixing them.

Either that, or a pin on every account that is required if a user logs in from a different IP address, which is simpler to place into action, and is relatively safe(letters/numbers/other characters instead of only numbers).

Eh. That's more or less what a forum-dev team is for, in addition to writing new material. That's not to say others can't find exploits. I've found quite a few in the time I've been here.

And somehow users would find a way to give away their pin.

Hi I'm Ravenger/brorave.
I was SMod before and then I got perma-banned.

Quote

Praeter

Sep 9, 2011

Praeter

Chatterbox

Join Date: Feb 2009

Sep 9, 2011

If someone hacks you (very unlikely) then the admins will rape that person if you give them proof. You'll get your TC back and they'll be banned, and you'll be told to change your password.
I'm completely cool about it, I really don't care 'cause of the account history, a lot of hackers are dumbasses for not knowing about it, and they can be easily caught without knowing it.

Tint is sex.

Quote

« Previous Thread | Next Thread »

Log in / Register

Inventory

Market

Clans

Ranking

Merch

Inventory

Store

Market

Clans

Community

Ranking

Merch