• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Random user switching?

I

intogamer

Lifer
Hey Jason, I would like to know whats up with users signing on as a different user? I remember this happened a while back around when some users were able to use a html exploit? for custom avatars. Is there some kind of bug when you do software updates?

As I posted in another thread is it possible for a user on a different account go check his cookies to get the password because he is already logged in? Just how LoKe was able to download login information from AT servers?

Fusetalk at risK?
 
Even with the cookies, they won't have your password, but rather a hashed version of it. It's unlikely that anyone would be able to decrypt that hash and have your password. However, it is possible for them to continue logging on as their victim, so long as the password to the account isn't changed (doing so would change the hash).
 
I'm quite sure the login issue was nailed, from what I can tell it's a bug in the FuseTalk cookie management. I will ensure it gets passed on to them on Monday. All passwords are hashed when they are stored, so it's impossible for someone to get your password.

Cheers.
 
Originally posted by: Jason Clark
I'm quite sure the login issue was nailed, from what I can tell it's a bug in the FuseTalk cookie management. I will ensure it gets passed on to them on Monday. All passwords are hashed when they are stored, so it's impossible for someone to get your password.

Cheers.
Click to expand...

Let's not say impossible. 🙂
 
Originally posted by: Alone
Originally posted by: Jason Clark
I'm quite sure the login issue was nailed, from what I can tell it's a bug in the FuseTalk cookie management. I will ensure it gets passed on to them on Monday. All passwords are hashed when they are stored, so it's impossible for someone to get your password.

Cheers.
Click to expand...

Let's not say impossible. 🙂
Click to expand...

Hehe I did see a video on Youtube for cracking Windows Admin. They used a site to decrypt the hash I believe
 
Originally posted by: intogamer
What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?
Click to expand...

There are plenty of ways to encrypt a password, and all the hashes will be different. Even if we had the same password, our hashes would more than likely be different.

Originally posted by: intogamer
Hehe I did see a video on Youtube for cracking Windows Admin. They used a site to decrypt the hash I believe
Click to expand...

There are plenty of LiveCD's that will crack a windows password easily.
 
Originally posted by: Alone
Originally posted by: intogamer
What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?
Click to expand...

There are plenty of ways to encrypt a password, and all the hashes will be different. Even if we had the same password, our hashes would more than likely be different.
Click to expand...

What I'm talking about is there different types of hashes? Like different levels or hashes are just one way on encrypting?
 
Originally posted by: intogamer
Originally posted by: Alone
Originally posted by: intogamer
What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?
Click to expand...

There are plenty of ways to encrypt a password, and all the hashes will be different. Even if we had the same password, our hashes would more than likely be different.
Click to expand...

What I'm talking about is there different types of hashes? Like different levels or hashes are just one way on encrypting?
Click to expand...

There are plenty, like md5 and sha1.
 
Originally posted by: Alone
Originally posted by: intogamer
Originally posted by: Alone
Originally posted by: intogamer
What if someone saved the hash, so they would have a encrypted copy of your password?

Are hashes all the same?
Click to expand...

There are plenty of ways to encrypt a password, and all the hashes will be different. Even if we had the same password, our hashes would more than likely be different.
Click to expand...

What I'm talking about is there different types of hashes? Like different levels or hashes are just one way on encrypting?
Click to expand...

There are plenty, like md5 and sha1.
Click to expand...

Now which one does AT use? 😉
 
Originally posted by: intogamer
Now which one does AT use? 😉
Click to expand...

It's hard to know for sure. It could be alphanumeric symbol with MD5, it could be multiple MD5's on the same string, it could be a SHA1 hash, encrypted with Md5. Who knows.

But I just hope it's simply not SHA1, because that has been broken already. =p
 
Originally posted by: Alone
Originally posted by: intogamer
Now which one does AT use? 😉
Click to expand...

It's hard to know for sure. It could be alphanumeric symbol with MD5, it could be multiple MD5's on the same string, it could be a SHA1 hash, encrypted with Md5. Who knows.

But I just hope it's simply not SHA1, because that has been broken already. =p
Click to expand...

Correct! Hehhe Jason another bug! The OP gets to select which post is the answer.
 
Originally posted by: Alone
Originally posted by: intogamer
Now which one does AT use? 😉
Click to expand...
It's hard to know for sure. It could be alphanumeric symbol with MD5, it could be multiple MD5's on the same string, it could be a SHA1 hash, encrypted with Md5. Who knows.
But I just hope it's simply not SHA1, because that has been broken already. =p
Click to expand...

:roll: Please show reference to where SHA1 is broken. Theorietically weakened perhaps, broken, no. I love how you mention if could be MD5 but hope its not SHA1 where MD5 is depreciated for a reason and SHA1 is still the primary secure hashing scheme in use....
 
Originally posted by: bsobel
Originally posted by: Alone
Originally posted by: intogamer
Now which one does AT use? 😉
Click to expand...
It's hard to know for sure. It could be alphanumeric symbol with MD5, it could be multiple MD5's on the same string, it could be a SHA1 hash, encrypted with Md5. Who knows.
But I just hope it's simply not SHA1, because that has been broken already. =p
Click to expand...

:roll: Please show reference to where SHA1 is broken. Theorietically weakened perhaps, broken, no. I love how you mention if could be MD5 but hope its not SHA1 where MD5 is depreciated for a reason and SHA1 is still the primary secure hashing scheme in use....
Click to expand...

http://www.schneier.com/blog/a...05/02/sha1_broken.html
http://intertwingly.net/blog/2005/02/16/SHA-1-Broken
http://www.nemein.com/people/r..._propably__broken.html
http://it.slashdot.org/article...02/16/0146218&from=rss
http://scottstuff.net/blog/art...005/02/16/sha-1-broken

Enjoy. If I'm missing something critically important, I wouldn't have any problems with being corrected.
 
http://www.schneier.com/blog/a...05/02/sha1_broken.html
http://intertwingly.net/blog/2005/02/16/SHA-1-Broken
http://www.nemein.com/people/r..._propably__broken.html
http://it.slashdot.org/article...02/16/0146218&from=rss
http://scottstuff.net/blog/art...005/02/16/sha-1-broken

Enjoy. If I'm missing something critically important, I wouldn't have any problems with being corrected.
Click to expand...

Well it might be an intellectual debate, I think Bruce greatly over simplifies things. At best sha1 is reduce. There is still no reasonably low cost way for me to generate arbitrary content that matches to a specific sha. What I can do his generate semi-arbitrary content which matches to a specific sha with less than 2^80 operations (the statistical average).

In practice this means why you can generate content with the same sha, the cookie as used here would be meaningless since you simply couldn't make 'my' cookie sha to the same as your's (given formatting and such, not enough opportunity to generate the semi-arbitrary part).
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top