Dude, Yellowpipe decrypter does work, I've used it before. If you want, I can give you the sequence I used, and we'll see if you can get the password after that, cus if you can't, then your theory fails.
Printable View
Dude, Yellowpipe decrypter does work, I've used it before. If you want, I can give you the sequence I used, and we'll see if you can get the password after that, cus if you can't, then your theory fails.
In case you are wondering how many possible combinations for the total number of sets use simple math. 2^2* = 20*7*52
I do not want you to give me the sequence of hashes. That is for my script to figure out and it is *00&#*7; accurate because I programmed it precisely for that purpose.
If you give me the sequence I would have your password cracked in less than *0 seconds, but I do not want the sequence.
If encrypted wrong by your website, it will decrypt wrong but still output your original text. You never gave me an answer for this:
sha*(md5(sha*(sha*(md5(md5(sha*("aa")))))));
This will test your sites accuracy.
b42*60e2c667d**5*2ac*e0aeab20260**d6*f00
That's the hash that comes out of it.
It should be correct to yours. There is a slight possibility that your coding is wrong *waits for SyntaX to murder me for insulting his coding skillz*
That is the correct hash. The reason it cannot be an error in my code is because I have tested many different combinations to crack and it has cracked them all. Try to re-encrypt aa and see if you get the same answer. If you do, post your sequence so we can find the problem. There is a very tiny, I mean really 0.00*&#*7; chance that something is wrong on one of my comparison operators in the code but highly unlikely. [b]EDITED: NOPE, no chance I made an error.[/b]
Sure thing, tomorrow. I gotta go for now, but we can figure this out tomorrow.
But mark my words SyntaX, you will be posting PWNT and dead animal pics, very very soon :D
You underestimate mathematics. Math is a science not an art. You are forced to calculate human error into your hash. My code will never make an error. Do NOT post your sequence tomorrow. Give your sequence to Mike and let him get the correct hash using PHP. Then give me the hash.
Get ready to post a STICKY!
Yellowpipe decrypter (being a PHP page) is obviously using the md5() and sha*() functions, so there is no doubt in my mind that it is accurate.. But I will PM mike with the details and such, and I'll recalculate both hashes myself.
Might I s***est a dead cow as your pic? :p
I would focus more of your time writing your sticky. :cool:
Want me to really make you nervous? Post the hash of a shorter sequence that you wont make a mistake copying and pasting from one hash to another like you did on the last one. I will have it cracked in 5 minutes.
Oh yeah, you must also post a video on ************ exclaiming that syntax****** pwned joo! and explaining why he pwns joo!
[QUOTE]I believe the best way to avoid brute force is to attach a 20 character string onto each password before md5 hashing it. This will eliminate any chance that a brute forcer will ever crack the password. So you would actually:[/QUOTE]
This is what I do with my site. It's called a salt.
Every user password is appended with a 2 character salt, hashed, then stored in the database on registration. Then this salt is appended to their password when they login, hashed, then checked against the database copy.
It prevents bruteforce/dictionary attacks.
I guess 2 characters is pretty poor as a salt, but I couldn't be bothered to make it ultra-secure. I'm not going to reveal the 2 character system, but they are generated individually based on registration info.
Response to thread: too busy to get involved, but Moonbat can run some PHP on my site if he wants, or tell me what to make and I'll make it.
I read a couple of posts, and I believe Syntax is correct. You can apply as many hash functions as you want, but if the attacker knows the whole procedure, they can do exactly the same to brute force the password. You hash once with sha*()? They apply the SHA* hash to common words to find the password. You hash ten times with sha*(md5(sha*(md5(sha*(md5(sha*(md5(sha*(md5("lol"))))))))))? They apply the same to common words to discover your password.
It's security by obscurity, but I believe salting works equally as well as this -- you have to never reveal the salt string, just as here you have to never reveal the whole hashing procedure. However, if you salt with random information (or smartly-generated information), that is stronger than this.
So in conclusion, salting owns all, but security-by-obscurity usually is fine. My salting method is weaker than most, but still effective.
Awesome. Just post the real hash once he give you his hash sequence. He really doesn't believe I will crack it.
[quote=mike*5*]They generate a wordlist of SHA*-hashed common words.[/quote]
I do not have a common word list. I try every single possible combination. If it does not find one, it does not exist. Yes there is a time trade off, but time is not a factor in this case. Once you allow passes over 5 letters the run times get a little crazy. I've come up with my own formulas & theories to fight time though. I just dont have the extra computers to implement them.
He hasn't PMed me yet, so we'll have to wait.
In other news, it looks like some bastard has been using my account! The rules thread was deleted by 'mike*5*', but I never remember doing that.
Memory loss could be explained by a certain thing, but I'd never be moderating at such a time.
Who has been using my god damn account?
Can you tell in the admin logs? I really doubt anyone hacked the database.
I looked at the deletion IP address, and it seems to be mine (at least the first two octets, I think).
My bad. I have no idea why I deleted it then, or when I deleted it.
I should stop coming on here at *AM in no state to manage anything.
Saudi Arabia has some good hackers, one of them could be targeting us. After this whole Saudi thing, I changed my pw up big time.
Anyway, now that I've had a night to think about it, I think SyntaX will win this no matter what. With those password restrictions (5 chars, A-Z, a-z, and 0-*), all he has to do is generate every possible combination of those 62 alphanumeric characters in groups of *-5. That shouldn't take too long at all.
Then he sees how long my hash is, and brutes it accordingly (SHA* is longer than MD5 in terms of characters).
So no matter what I do, SyntaX (nay, the power of t*h ub4r cod*r) will find it out anyway, after all, we have rules, and in a real life situation, I would never make 5-char passwords.
Here's what I'll do: SyntaX, if you release your source code (all of it) publicly, then I'll admit defeat, post a sticky with PWNED by SyntaX******, and some dead animals and a justgotowned.com link.
Are you giving up before posting the hash? :rolleyes:
Your making it sound like its an easy crack. Want to switch roles in the challenge? I give you the two hashes and you give me my password.