vladimir wrote:I have one question:

Do admins on either board read Private Messages?

I know it can be done, you have to know what you're doing, and you need a reasonable idea of what the content is to do it.

OD, can you verify that?

And, of more significance, if you can hack PM's is it not just a short step to hack their emails?

Despite what the "other admin" loves to claim, it's VERY easy to do. They're not encrypted and it just takes a look at the phpbb_private_msg table in the database to read them. That said, we don't. The only time I ever even open the database is to make mods and most of those have their own scripts for updating the DB build in so I don't even need to do it then. It has been claimed that "some admins" don't have the knowhow to do so... frequently just after they have clearly done so. I can attest that GMack is completely inept at using the database however, and I really just don't give a shit what you have to say in your PMs.

As for hacking email, no... MUCH harder and the most we get is that we know your email address. In 'theory' if you used the same password for here and there we could attempt to crack the encrypted 'hash' of your password here to get the real thing, then use that to log into your email. But that's a LOT of work and really not that effective since there's no guarantee that it can be dehashed (google rainbow tables) or that once it is that you used the same password for both (which you never should).

When you enter your password to this system it encrypts it... so that the word "password" ends up as "5f4dcc3b5aa765d61d8327deb882cf99". Then all it saves in the DB is 5f4dcc3b5aa765d61d8327deb882cf99. Later, when you log in, it takes what you typed and does the same encryption to it, then if the result comes out at 5f4dcc3b5aa765d61d8327deb882cf99 it matches and knows you entered the right one. The original text is never saved in the DB and the only way to get it is to search a list of encrypted words to find one that matches, then see what that word had been. It's called 1 way encryption for a reason.

The other method for doing it would be to change the user's password, log in as them, then blame it on some technical glitch and make them reset their password when you're done. This system doesn't do it, though I wish it did, but some systems send out a nice automated email when your password has been changed to tattle on whoever did it.

(Also, if you want to see your own password hash there's a handy little generator that I just used for that example: http://www.md5hashgenerator.com/index.php )

OrangeDragon wrote:(Also, if you want to see your own password hash there's a handy little generator that I just used for that example: http://www.md5hashgenerator.com/index.php )

Is software available that does the opposite?

Not really, it's called a 1 way encryption for a reason.

The method to "crack" it is to take a huge dictionary of words and encrypt THEM the same way... then you look at the list of those results and see if any match the hash you want to crack. If so you see what word correlated to it and you have the password. A really involved process, especially if they add numbers/etc to their password. That list is called a Rainbow Table, and you can download premade ones pretty much all over the internet.

Like this one:
http://www.md5rainbow.com/

Google works well too... just do a search for the hash and see if any site has it in their public rainbow tables. A good way to test the security of your password.

Mine, for this site actually, returns:
Your search - XXXXXXXXXXXXXXXXXXXXXXXX - did not match any documents.

Suggestions:

Make sure all words are spelled correctly.
Try different keywords.
Try more general keywords.

It should be noted that we ALSO "salt" our encryption... it adds a string of random crap to the password before it encrypts it to make the result harder to snag with a rainbow table.

Cool, OD, thanks!

Jaap N. wrote:Cool, OD, thanks!

NP. I do suggest everyone always check their PW against google's known hash tables... a password that's a google search away from decrypting really isn't much of a password.

[Shameless Plug: I'm available for network security and penetration testing for reasonable rates to anyone seeking such services. http://www.webivation.net ]

And related: DARPA Hacking, fun for the whole family! http://www.pcworld.com/article/2070580/ ... s-fun.html

In western countries, the admin can be sued and jailed for reading email straight from the database and using that information unlawfully. Most colleges, for example, need a written instruction from the CEO or MD before an admin will look, and then the onus of the law is on the CEO. Naturally this gets abused if there is no watcher system (as you'd see in the justice system) in place.