General > General Technical Chat

Check your email address(s) and passwords for cyber security breaches

<< < (14/22) > >>

nctnico:

--- Quote from: Halcyon on January 15, 2023, 12:49:57 am ---
--- Quote from: Shock on January 14, 2023, 07:33:15 am ---Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.

--- End quote ---

No one is talking about inherently trusting websites (such as HIBP), in fact, I explicitly said that you shouldn't just take my word and experience as the complete truth without doing your own research.

But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash

--- End quote ---
Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

alexanderbrevig:

--- Quote from: nctnico on January 15, 2023, 12:37:26 pm ---Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

--- End quote ---

Make a proof of concept script that shows the plaintext based on the first five bytes of the SHA-1 and you will be an over-night infosec celebrity. It's not doable. It's more than good enough for its use here.

You are simply wrong.

nctnico:

--- Quote from: alexanderbrevig on January 15, 2023, 01:51:57 pm ---
--- Quote from: nctnico on January 15, 2023, 12:37:26 pm ---Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

--- End quote ---

Make a proof of concept script that shows the plaintext based on the first five bytes of the SHA-1 and you will be an over-night infosec celebrity. It's not doable. It's more than good enough for its use here.

--- End quote ---
No. With 25% of the hash you can limit the pool of passwords you need for a brute force attack and thus accellerate such an attack on a password. With SHA1 being broken you can accellerate the process of reversing the hash and thus reduce the computational time needed.

alexanderbrevig:
https://en.m.wikipedia.org/wiki/Avalanche_effect

Still need the entire search space for finding a collision. What's worse, you will get many collisions with no true way of knowing which is the original clear text.

Congrats on hashing all the plausible clear texts only to guess the next 15 bytes from the numerous matches you will get from the first five.

You are still wrong.

I find it funny that people on here think they can challenge Cloudflare on security practices and implementation.
The math speaks for itself.

nctnico:

--- Quote from: alexanderbrevig on January 15, 2023, 04:30:31 pm ---https://en.m.wikipedia.org/wiki/Avalanche_effect

Still need the entire search space for finding a collision. What's worse, you will get many collisions with no true way of knowing which is the original clear text.

--- End quote ---
You can insist I'm wrong but I'm definitely not. You are not getting the actual point I'm making here. With part of the hash you can determine offline which may be suitable passwords to try a brute force attack with. Most websites require a password that is like 6 or 8 characters long. Most of these passwords will be text (names, places, regular words, etc), maybe a special character and some numbers. This creates a rather limited pool of passwords to try but you don't know which ones to try. If you have a partial hash for the correct password, you suddenly can filter the pool of passwords to try with the ones that match the hash. So the number of passwords you have to try reduces from trillions to millions. Probably even less. From there use an algorithm that sorts the passwords in order of likely hood (maybe mix in some info that has been obtained through phising social engineering) and you stand a pretty good chance of using the right password after only a few tries.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod