[TYPO3-english] TYPO3.ORG hacked
Erik Svendsen
erik at linnearad.no
Sat Nov 15 00:00:35 CET 2008
Hello Frank,
You think if it's salted, the answer is yes and no. It's more difficult,
but not impossible, expecially with weak password. Another problem with "intrusion"
with admin user and password is that you may access data that can tell you
the salt algorithm, and even the salt.
We had an incident in Norway's largest forum about two years ago where someone
managed to get hold of an user account with enough rights to get all the
userdata. They also turned of the forum and asked everyone to change their
password. I have done so today (as soon as I got the mail) on some forumsites
(and other) where I only have limited information.
> Robert Lemke wrote:
>
>> A general note: it doesn't matter much if a password is md5 hashed
>> or not - md5 is just a hash and not encryption. Nowadays it's
>> relatively
>> easy to generate a password out of an md5 hash, especially if it is a
>> weak
>> password with few characters and without special chars.
> Tell me if I'm wrong, if some secret string is appended to the
> password before it is hashed wouldn't that make it extremely hard for
> the password to be cracked if the secret was not found out?
>
WBR,
Erik Svendsen
www.linnearad.no
More information about the TYPO3-english
mailing list