This should be more of a blog entry than a news article, but until we finalise things there (Yes it's coming) here will have to do.

Before reading this article please keep in mind that SeersIRC uses methods described below and more to secure all passwords for all users. As such all passwords are one way and we can't retrieve them for you if you forget them.. only change them. All of the methods described below also assume the attacker has access to the database the user names and passwords are stored in.

Intro
I often see and hear about people who get 'hacked' on IRC, Forums, MMORPGs etc and am amazed at the amount of people that don't understand the importance of strong passwords and strong authentication. I'm no expert but I know my share so I'll share it with you all and hopefully you'll learn something and be the wiser for it.

Encryption methods
Encryption is as good as any to start. Passwords used by most mediums (IRC Networks, Forums, MMORPGs etc) are usually encrypted and possibly stored in an encrypted database on top of that. I say most however, as I know of some IRC Networks that do not encrypt their user passwords and instead store in plain text... something everyone should also be aware of.

Most encryption is done using either the older, more commonly MD5 algorithm or the more recently taken up SHA1 algorithm - both 'one way encryption' algorithms. Information on the specifics of how they work is outside the scope of this article but can be found via google/wikipedia quite easily.

lets say we have a function MD5() that our forum uses to encrypt text. To encrypt a password we'd do something like:

Which would generate:

This encrypted password or 'hash' is then stored and your password can be checked against it later on. So now we have our password nice and safely encrypted in the database and no-one can decipher to it? If only. A simple google search of our hash 'a029d0df84eb5549c641e04a9ef389e5' provides the following results (found here) which we can see by checking some of them that the result hased word is 'mypass'.

If you do the same with 1f3870be274f6c49b3e31a0c6728957f (results from google search here) you'll quickly be able to work out what the password was I hashed.

Now you can see why even though MD5 is one way, if you have a short or common password the has may be only a google search away from your password being revealed if someone gets your hashed password. There are many online services that can be used to crack vanilla mp5/sha1 hashes using various methods, try googling 'cracking md5' for an example.

To show you just how easy it is, here is another hash: ae2b1fca515949e5d54fb22b8ed95575
If you use the site I found on the first google results page, milw0rm - http://www.milw0rm.com/cracker/insert.php you can see that too is an easy way to get results on hashed passwords.

Salting
So now we've established that basic passwords that are hashed with md5/sha1 can easily be recovered using google/online tools. How though can we stop this?

Probably one of the most effective ways you as a user of various mediums can use to escure your password is to make it as long as possible, and use all sorts of !&^@#% symbols in it. Every extra character length or level of complexity you use makes your password exponentially harder to decipher. Most online services only have databases or services for cracking short passwords of 1-8 characters in length, and a-z, 0-9... no symbols.

The second way those that are administrators can use is a method called 'salting'. Salting is a common method of adding something secret to a password before it's hashed to increase the length and complexity of the password hash. An example is instead of:

Which can easily be deciphered or googled, you'd add a salt. In this case '*%#.gggfwe$>%}{\\' making the function:

This hash would have an extremely low chance of being cracked and would be virtually impossible to brute force. Due to the way this is implemented though the password is still only safe as long as your salt is secret so making sure config files with your salt in it are safe is a top priority.

SeersIRC uses a combination of many features including salting and SHA1 to encrypt all passwords. Forums, IRC (services) and other facilities this keeps your passwords as safe as humanly possible.

Social Engineering
This in itself is a massive topic but I'll quickly touch on it as from what I have observed most people being 'hacked' are victims of this not some technological miracle.

Social Engineering as described (quite well also I might add) here on wikipedia is the act of manipulating people into performing actions or divulging confidential information.

It is the single most common and reliable way of gaining access to information or systems an attacker wants. Examples of this you see and probably ignore every day:

• Those 'You have 492 Viruses, install this to remove them' ads on websites, are a social engineering trick to get you to install their software
• People pretending to be someone they aren't to get information from you is also social engineering (Pretend to be female somewhere and see how easy it is to get information/passwords/access)
• More subtle things like people being told to type in some super script to give them ops on IRC for example. It would likely do something malicious on their side helping the attacker and not getting them any closer to their ops on IRC.

This is the biggest danger, and most common form of 'hacking' I have seen on online gaming and gaming related communities and something everyone should be mindful of.

Summary
A mini-check list for you:

1. Don't trust anyone. If you believe everyone is out to somehow get your password or access your user name you're one step closer to keeping it safe.
2. Use long, strong passwords. Where possible try to use passwords of 10+ characters and include symbols and numbers like !@#$%^&*() to decrease the chance of it being cracked.
3. Ask questions. If you're using a new or existing service that requires you to login (Forums, IRC, Games) ask about their encryption, where databases are stored, who has access etc to help ensure you're safe.
4. Administrators: Salt your passwords! Most software has it enabled by default but for anyone using old software or writing it yourself be sure you strongly salt your passwords to almost infinitely increase the security of the passwords.

http://www.passwordmeter.com/ is a great tool. Check it out and see what your common passwords score and see how easy it is to make them stronger!

Stay safe!

Here's another site like the one you mentioned, this one does md5, double md5, sha1 and ripemd160, it also has the option to put in a plaintext work and get back the hashes it creates.
http://hashdb.homelesshackers.net/

one question: does the encryption "transform" a letter "a" from the password to more than one letter, like "hsvd"? if yes, is it always the same or does it change? if it was the same, it could be easily cracked i think.
just forcing my imagination, I don't understand those programmers stuff :p.

md5(a) => 0cc175b9c0f1b6a831c399e269772661

sha1(a) => 86f7e437faa5a7fce15d1ddcb9eaeaea377667b8

Both algorithms generate a hash of the same length regardless of the string you give it.

Both are also considered 'one way' and unlikely to simply be 'cracked'. Services that do claim to 'crack' them more often than not use methods of brute force such as rainbow tables etc. If you're interested in specifics a good start is googling some of the topics, wikipedia isn't bad either.

alryt sir. thanks

You can find the hash of any input with the mSL identifier $md5.



Where 'x' is the value you want to hash.

----------------------------------------

Great post. It sure makes you think how easy it is for people to steal your passwords.