Quote:
Originally Posted by DeBlackKnite
MD5 is broken. There are rainbow tables available that will instantly reverse many passwords, and because the hash function is so cheap, tools like hashcat will rape MD5 even with salt. Say your password is "xsoekcnm" - random characters. But it's too short and can be instantly reversed, just search for md5 reverse and enter 4ecf096b453a0760b02bd0aa0f3740fa.
|
Well, the whole point of the salt is really to just slow down the rainbow tables that hash cat uses, or make it not work.
For example, lets get a real example in here for what we want to do:
Lets say we have a database of 1,954,977 members. If the password isn't salted, it's literally a matter of running your tool or whatnot, iterating through the list for each "word", and see if any passwords match.. Sure, we need to check almost 2 million data entries like 70 million times, but I mean, it's not TOO bad.. Not only that, since the passwords are represented in our table, we actually don't need to hash anything or call anything to check it -> we just access the table and make our comparisions
Essentially, imagine: we check the first word in the table, scan the "leak" for matches in the list of hashes, if so, boom, easy.
If the password is salted however, NOTHING in that table is going to match anymore. Obviously, we know the salt - it's written right in the MD5 hash (since salted hash is just hash:salt or salt:hash or whatever), the person trying to crack knows the salt.. Despite this, the amount of work that has to be done is like freakin n^2 compared to n! lol.. If the passwords are salted, your table mapping "xsoekcnm" -> 4ecf096b453a0760b02bd0aa0f3740fa suddenly does not match - xsoekcnm doesn't hash to that anymore, so you would need to calculate md5($salt, $plaintextpw), and remake the table.
Regardless, it's gonna slow it the hell down.. Now suddenly instead of:
- for each word in the rainbow table
- Parse hashes for match
you are suddenly:
- for each word in the rainbow table
- calculate what hash would be generated using a given salt
---> (note, you might realise - in order to calculate what the hash would be for a given salt, they would need to know #1 a plaintext password and #2 the hash that is generated that corresponds to this plaintext password)
- parse hashes for matches
Regardless, I doubt anyone would bother doing this for this game.. there is literally no motivation behind trying to access anyone account here, to be honest. I can see if someone would want to hack the admins password or something, but even so, there really isn't a gain to that - what you should be worried about is using the same password for different websites, registered with that username/email.
To be honest, I don't even think the leak was specifically regarding flashflashrevolution, but obviously I don't know for sure - probably related to this:
https://haveibeenpwned.com/PwnedWebsites#VBulletin
EDIT: lol nvm theres a specific section for just FFR
https://haveibeenpwned.com/PwnedWebs...lashRevolution
INTERNET FAMOUS BOIZ