Slashdot Mirror
Hacker Puts 51 Million iMesh Accounts For Sale On Dark Web (zdnet.com)
An anonymous reader shares a ZDNet report: User accounts for iMesh, a now-defunct file sharing service, are for sale on the dark web. The New York-based music and video sharing company was a peer-to-peer service, which rose to fame in the file sharing era of the early-2000s, riding the waves of the aftermath of the "dotcom" boom. LeakedSource, a breach notification site that allows users to see if their details have been leaked, has obtained the database. The group's analysis of the database shows it contains a little over 51 million accounts. The database, of which a portion was shared with ZDNet for verification, contains user information that dates back to late-2005 when the site launched, including email addresses, passwords (which were hashed and salted with MD5, an algorithm that nowadays is easy to crack), usernames, a user's location and IP address, registration date, and other information -- such as if the account is disabled, or if the account has inbox messages.
Close down this dark web.
From 10yrs ago for a website no longer in service? They might get 100$ for that.
That's because they want CLINTON to win. Trump will be a president of the people, they can't let him win.
All this "MD5/SHA-1 is easy to crack" talk essentially boils down to "MD5 is a fast hash algorithm".
People regard hash algorithms which are slower as more secure, as they take longer to crack. The fact is though that the longer a hash algorithm takes to crack, the more load it puts on the server. So if your server has to churn for three seconds running ten million iterations of bcrypt in order to have a "strong" cipher, it "only" gives a linear increase in difficulcy for the attacker.
And while the attacker only has to find a password once, the server has to process log-ins all day long, day after day.
A really better solution to this is to 1. hash+salt the passwords (e.g. with sha-1 or maybe sha-256 if you really want) and 2. encrypt them via a HSM (e.g. with AES). Then you send the HSM your sha-256 value and the encrypted hash from the database, and the HSM tells you whether they match or not.
This way you will prevent hackers from doing any off-line brute-force attacks *at all*, unless they somehow get hold of the secret key inside the HSM. But this is much much harder than accessing the database.
Well any way, in the real best case, everybody just used yubikeys as first and only factor...
An "attack" means "faster than brute force".
For MD5, a video card from 2012 can brute force every possible 7 character password in a bit over an hour and every possible 8 character password in a bit over a year. If you limit it to likely passwords (letters and numbers) you can do 8 characters in 4 hours.
So yeah, any "truly strong" passwords are safe, for values of "truly strong" that were probably not well thought-out in 2005.
Though yet again, we have 2 shitty options. One is diarrhea spewing everywhere, one is solid shit.
a video card from 2012 can brute force every possible 7 character password in a bit over an hour and every possible 8 character password in a bit over a year.
That doesn't make sense. An 8 byte PW would take 256 times as long as a 7 byte PW, and really only ~128 times as long. So if a 7 byte PW takes an hour, then 8 bytes would take 5 days, not a year.
There are known weaknesses in MD5 that make it possible to find collisions in faster than brute force time.
What does that have to do with News for Nerds?
Now we have to lock you up, too.
And as GP said, collision attacks are meaningless for leaked password databases.
What you actually need is preimage attacks, and MD5 still is strong on that front.
If the numbers are accurate, it could have something to do with the space being searched. I don't understand either.