• Hey Guest. Check out your NeoGAF Wrapped 2025 results here!

Crunchyroll was breached - claims of passwords stored as MD5, change them

Status
Not open for further replies.
Harpuia said:
What would the rationale behind storing passwords in MD5 be, then?
Click to expand...

Incompetence, web developers who thought MD5 is synonymous with secure hashing, etc.

The only vulnerable accounts on other sites would be those that also work with MD5.
Click to expand...

And use the same salt, otherwise the same password will generate a different hash. Of course someone using MD5 might not know about salting either...
 
Anyone getting mad about md5 probably doesn't know what they're talking about, which includes most people in this thread. Here's my md5 hashed password.

174e6c4038f4e4ac92fe44d2c9b3d253

There you go, have fun.
 
ProfessorLobo said:
Anyone getting mad about md5 probably doesn't know what they're talking about, which includes most people in this thread. Here's my md5 hashed password.

174e6c4038f4e4ac92fe44d2c9b3d253

There you go, have fun.
Click to expand...

 
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/1/

Everyone should give this a read. Basically, password cracking has gotten at least a little bit beyond brute force. Now it is about educated guessing which involves having sets of words (called dicts) and behavior lists (methodologies people use to make passwords, like capitalize every other letter, or insert the numbers 1 2 3 and 4 between successive letters.) Running a dict against a set of behaviors allows you to crack a signifigant portion of passwords. As for salting, in any instance where you have a large body of passwords, you can safely assume that at least some proportion have a common or obvious password, so to crack the salt, all you are really doing is starting with a very common, short password, and then running the set of all salts on that password to see if you match an md5 hash in the textfile that has all the user hashes. You've now cracked the salt.

Md5 should be looked down on and rightfully so when there are better alternatives out there, especially when the only trade off is a bit more computational power.
 
Earthstrike said:
 
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/1/

Everyone should give this a read. Basically, password cracking has gotten at least a little bit beyond brute force. Now it is about educated guessing which involves having sets of words (called dicts) and behavior lists (methodologies people use to make passwords, like capitalize every other letter, or insert the numbers 1 2 3 and 4 between successive letters.) Running a dict against a set of behaviors allows you to crack a signifigant portion of passwords. As for salting, in any instance where you have a large body of passwords, you can safely assume that at least some proportion have a common or obvious password, so to crack the salt, all you are really doing is starting with a very common, short password, and then running the set of all salts on that password to see if you match an md5 hash in the textfile that has all the user hashes. You've now cracked the salt.

Md5 should be looked down on and rightfully so when there are better alternatives out there, especially when the only trade off is a bit more computational power.
Click to expand...

That's an interesting link. Although wouldn't just making the salt a 20 digit randomized string just solve this issue entirely? You can't brute force 'jj583jqg4jfalkdsfj9a0w@*U$jfkld'
 
ProfessorLobo said:
That's an interesting link. Although wouldn't just making the salt a 20 digit randomized string just solve this issue entirely? You can't brute force 'jj583jqg4jfalkdsfj9a0w@*U$jfkld'
Click to expand...

EDIT: Never mind, understood it wrong.

But yes, salting is great but but there are a lot of sites that don't do it.

Also it still isn't a reason for them to use MD5. Even when there are other options to make it more difficult, it is still relatively unsafe.
 
I guess I'll change my password when I get home. I bought a 1-year subscription so there is no card data to access at least.

ThreePiMatt said:
Changed my password, but not terribly concerned. Crunchyroll occupies the "low" tier of my passwords, which is different from my bank/email/etc logins.
Click to expand...

Also this.
 
ProfessorLobo said:
Anyone getting mad about md5 probably doesn't know what they're talking about, which includes most people in this thread. Here's my md5 hashed password.

174e6c4038f4e4ac92fe44d2c9b3d253

There you go, have fun.
Click to expand...

It's still irresponsible of them to use it when there are plenty of hashing algorithms that aren't fast and easy to compute.

There are precomputed lookup tables of literally every possible MD5-hashed password under 10 characters, which already covers more than half of passwords in use, given the stats on average password length. And they're expanding all the time.
 
Status
Not open for further replies.

Similar threads

Microsoft Edge stores your passwords in plaintext
News 
40
354
Hari Seldon replied
Digg shuts down, claims decision was due to bots
31
747
StreetsofBeige replied
Password incorrect error
22
174
Sticks replied
Neuroscientist claims evidence of post-death brain communication
36
2K
Hudo replied
What's up with girls from your past coming out of the woodwork as soon as you find a good one that isn't them?
37
1K
NotMyProblemAnymoreCunt replied
Top Bottom