Random user switching?

[intogamer]

Hey Jason, I would like to know whats up with users signing on as a different user? I remember this happened a while back around when some users were able to use a html exploit? for custom avatars. Is there some kind of bug when you do software updates?

As I posted in another thread is it possible for a user on a different account go check his cookies to get the password because he is already logged in? Just how LoKe was able to download login information from AT servers?

Fusetalk at risK?

 

[Alone]

Even with the cookies, they won't have your password, but rather a hashed version of it. It's unlikely that anyone would be able to decrypt that hash and have your password. However, it is possible for them to continue logging on as their victim, so long as the password to the account isn't changed (doing so would change the hash).

 

[Jason Clark]

I'm quite sure the login issue was nailed, from what I can tell it's a bug in the FuseTalk cookie management. I will ensure it gets passed on to them on Monday. All passwords are hashed when they are stored, so it's impossible for someone to get your password.

Cheers.

 

[Alone]

Originally posted by: Jason Clark
I'm quite sure the login issue was nailed, from what I can tell it's a bug in the FuseTalk cookie management. I will ensure it gets passed on to them on Monday. All passwords are hashed when they are stored, so it's impossible for someone to get your password.

Cheers.

Let's not say impossible.

 

[intogamer]

What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?

 

[intogamer]

Originally posted by: Alone

Originally posted by: Jason Clark
I'm quite sure the login issue was nailed, from what I can tell it's a bug in the FuseTalk cookie management. I will ensure it gets passed on to them on Monday. All passwords are hashed when they are stored, so it's impossible for someone to get your password.

Cheers.

Let's not say impossible.

Hehe I did see a video on Youtube for cracking Windows Admin. They used a site to decrypt the hash I believe

 

[Alone]

Originally posted by: intogamer
What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?

There are plenty of ways to encrypt a password, and all the hashes will be different. Even if we had the same password, our hashes would more than likely be different.

Originally posted by: intogamer
Hehe I did see a video on Youtube for cracking Windows Admin. They used a site to decrypt the hash I believe

There are plenty of LiveCD's that will crack a windows password easily.

 

[intogamer]

Originally posted by: Alone

Originally posted by: intogamer
What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?

There are plenty of ways to encrypt a password, and all the hashes will be different. Even if we had the same password, our hashes would more than likely be different.

What I'm talking about is there different types of hashes? Like different levels or hashes are just one way on encrypting?

 

[Alone]

Originally posted by: intogamer

Originally posted by: Alone

Originally posted by: intogamer
What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?

There are plenty of ways to encrypt a password, and all the hashes will be different. Even if we had the same password, our hashes would more than likely be different.

What I'm talking about is there different types of hashes? Like different levels or hashes are just one way on encrypting?

There are plenty, like md5 and sha1.

 

[intogamer]

Originally posted by: Alone

Originally posted by: intogamer

Originally posted by: Alone

Originally posted by: intogamer
What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?

There are plenty of ways to encrypt a password, and all the hashes will be different. Even if we had the same password, our hashes would more than likely be different.

What I'm talking about is there different types of hashes? Like different levels or hashes are just one way on encrypting?

There are plenty, like md5 and sha1.

Now which one does AT use?

 

[Alone]

Originally posted by: intogamer
Now which one does AT use?

It's hard to know for sure. It could be alphanumeric symbol with MD5, it could be multiple MD5's on the same string, it could be a SHA1 hash, encrypted with Md5. Who knows.

But I just hope it's simply not SHA1, because that has been broken already. =p

 

[intogamer]

Originally posted by: Alone

Originally posted by: intogamer
Now which one does AT use?

It's hard to know for sure. It could be alphanumeric symbol with MD5, it could be multiple MD5's on the same string, it could be a SHA1 hash, encrypted with Md5. Who knows.

But I just hope it's simply not SHA1, because that has been broken already. =p

Correct! Hehhe Jason another bug! The OP gets to select which post is the answer.

 

[Alone]

Originally posted by: intogamer
Correct! Hehhe Jason another bug! The OP gets to select which post is the answer.

The OP is supposed to be able to do that.

 

[bsobel]

Originally posted by: Alone

Originally posted by: intogamer
Now which one does AT use?

It's hard to know for sure. It could be alphanumeric symbol with MD5, it could be multiple MD5's on the same string, it could be a SHA1 hash, encrypted with Md5. Who knows.
But I just hope it's simply not SHA1, because that has been broken already. =p

:roll: Please show reference to where SHA1 is broken. Theorietically weakened perhaps, broken, no. I love how you mention if could be MD5 but hope its not SHA1 where MD5 is depreciated for a reason and SHA1 is still the primary secure hashing scheme in use....

 

[Alone]

Originally posted by: bsobel

Originally posted by: Alone

Originally posted by: intogamer
Now which one does AT use?

It's hard to know for sure. It could be alphanumeric symbol with MD5, it could be multiple MD5's on the same string, it could be a SHA1 hash, encrypted with Md5. Who knows.
But I just hope it's simply not SHA1, because that has been broken already. =p

:roll: Please show reference to where SHA1 is broken. Theorietically weakened perhaps, broken, no. I love how you mention if could be MD5 but hope its not SHA1 where MD5 is depreciated for a reason and SHA1 is still the primary secure hashing scheme in use....

http://www.schneier.com/blog/a...05/02/sha1_broken.html
http://intertwingly.net/blog/2005/02/16/SHA-1-Broken
http://www.nemein.com/people/r..._propably__broken.html
http://it.slashdot.org/article...02/16/0146218&from=rss
http://scottstuff.net/blog/art...005/02/16/sha-1-broken

Enjoy. If I'm missing something critically important, I wouldn't have any problems with being corrected.

 

[bsobel]

http://www.schneier.com/blog/a...05/02/sha1_broken.html
http://intertwingly.net/blog/2005/02/16/SHA-1-Broken
http://www.nemein.com/people/r..._propably__broken.html
http://it.slashdot.org/article...02/16/0146218&from=rss
http://scottstuff.net/blog/art...005/02/16/sha-1-broken

Enjoy. If I'm missing something critically important, I wouldn't have any problems with being corrected.

Well it might be an intellectual debate, I think Bruce greatly over simplifies things. At best sha1 is reduce. There is still no reasonably low cost way for me to generate arbitrary content that matches to a specific sha. What I can do his generate semi-arbitrary content which matches to a specific sha with less than 2^80 operations (the statistical average).

In practice this means why you can generate content with the same sha, the cookie as used here would be meaningless since you simply couldn't make 'my' cookie sha to the same as your's (given formatting and such, not enough opportunity to generate the semi-arbitrary part).