HPI Identity Leak Checker

For suggestions for new features to add to the site. Even if you don't have a sugestion at least vote on the features important to you.
Post Reply
u
Posts: 7
Joined: Sat May 17, 2014 3:50 pm

HPI Identity Leak Checker

Post by u » Fri Mar 01, 2019 3:59 pm

I checked my e-mail address on HPI Identity Leak Checker at

https://sec.hpi.uni-potsdam.de/ilc/

They send me an email:

Attention: Your e-mail address xxx appears in at least one stolen and illegally published identity data base (a so-called identity leak).
The following sensitive information was freely found on the Internet in connection with your e-mail address:

net-chess.com Sep. 2017 83,203 Affected


So I checked a bit and found. net-chess.com was really hacked and many passords were stolen, the password are shown in plain text. This happened because net-chess is using the weak MD5 hash algorithmus. I send greg an private message here some weeks ago but never got an answer.

So what should we do now, changing the password!
But also it is important to leave this weak MD5 and use a better algorithm.

The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities.

abiodun
Posts: 182
Joined: Wed Oct 02, 2002 3:22 pm
Location: Beautiful Upstate NY...USA

Re: HPI Identity Leak Checker

Post by abiodun » Sun Mar 03, 2019 6:10 am

.........................................Image

Thanks U, for this Interesting Post !

I never use to worry about such things as this ... but I suppose our world changes hourly !

What To Do Now .....? ? ?

............................................Image

Hmmmmmmm...... !
ImageChess is more than simply my pastime .... It has become My Passion !

gmiller
Site Admin
Posts: 1306
Joined: Sun Mar 14, 1999 11:13 am
Location: Jeffersonville, IN
Contact:

Re: HPI Identity Leak Checker

Post by gmiller » Mon Mar 04, 2019 8:30 am

The forum uses MD5. While it has weaknesses none of them apply to password storage, and there are "better" algorithms for password storage but none of them are actually good. The problem with all password hashing algorithms is that the passwords people choose are so weak there is no practical method of storage that meets any definition of secure. Your best practical option is to use different passwords for things that actually matter. It is of relatively low probability, and low impact that someone would actually want to hack in to your net-chess account and make moves as you.
Greg Miller

abiodun
Posts: 182
Joined: Wed Oct 02, 2002 3:22 pm
Location: Beautiful Upstate NY...USA

Re: HPI Identity Leak Checker

Post by abiodun » Thu Mar 07, 2019 1:57 am

...........................................Image

Mr. Greg ............

Many Thanks for Sharing Your Internet / Chess-Net Knowledge With Us All Here ! ! !

You've Put My Mind at Ease ! ! !

Hello There Mr. U .............. Did You Read This ? ? ?

Hopefully So !
ImageChess is more than simply my pastime .... It has become My Passion !

u
Posts: 7
Joined: Sat May 17, 2014 3:50 pm

Re: HPI Identity Leak Checker

Post by u » Sun Mar 10, 2019 4:36 am

You can find many password from this site in plain text in the internet.
I do not want to publish the link for this text file.

In the text file you will find for example this passwords, which belongs to net-chess users:

d4bLc58zeU
Idontknow1!
Eg4y8lap9Q

Are these passwords weak, and if yes why?
What kind of password should we use for net-chess to be save?

gmiller
Site Admin
Posts: 1306
Joined: Sun Mar 14, 1999 11:13 am
Location: Jeffersonville, IN
Contact:

Re: HPI Identity Leak Checker

Post by gmiller » Sun Mar 10, 2019 8:34 am

Yes those are weak. An actual secure password comprised of all printable ASCII characters chosen purely at random would need to be 39 characters long to meet today's definition of secure (256 bits of entropy). That's pretty much impossible for humans to memorize. What most people do who are that concerned about it will use a password manager to generate really long passwords, and look them up to log in to each site. But, like I said above, it's of very low probability that someone would want to log in to net-chess as you and do anything.
Greg Miller

energy
Posts: 167
Joined: Sun Apr 04, 1999 7:05 pm
Location: Oslo, Norway
Contact:

Re: HPI Identity Leak Checker

Post by energy » Mon Jul 08, 2019 2:24 am

However...

Some lowlife scum praying on the innocent tried to bully me to send him $900 in bitcoins recently. Had my password (which was 8 characters long) and tried to use that to convince me he had hacked my machine. The sad truth is that a lot of non-technical people will probably believe this idiot.

Funny thing is, I used the "I have forgotten my password" link to reset my password (it is the fastest way) and the forum software generated a 13 characters (all upper case) password for me. Is that the best phpBB will do?

BTW, I am more curious about how an attacker can test the millions of passwords needed, without having a copy of your (hashed) password file? In other words, without having hacked your site? That the whole site might have been breached seems to be a bit more worrying than having a few account passwords compromised....
Nils

--
Consider donating some computer time to science!
Read more here: http://folding.stanford.edu

jumpnmustang
Posts: 41
Joined: Thu Jul 17, 2003 3:43 pm

Re: HPI Identity Leak Checker

Post by jumpnmustang » Mon Jul 08, 2019 2:50 am

It doesn't take much to brute force an unsecure website, and you don't necessarily need to brute force a password on the unsecure site. The risk isn't necessarily your password. I will stay away from this subject for the most part. But unless you're a security expert you are at risk logging into this site. You don't need an HPI identity leak checker to know this. Just look at the browser where it says the link and see if it says secure or not.

Personally I do agree that if Greg wants this to continue in reality he should make the site itself more secure. I am training to be a security expert now. I am a beginner really, but one of the first things you learn is how to break unsecure websites and why someone would do it. This is an interesting post that probably shouldn't be ignored.
Last edited by jumpnmustang on Wed Sep 25, 2019 5:58 am, edited 1 time in total.

jumpnmustang
Posts: 41
Joined: Thu Jul 17, 2003 3:43 pm

Re: HPI Identity Leak Checker

Post by jumpnmustang » Mon Jul 08, 2019 2:52 am

And BTW, never believe an email.. If someone has your password report it to an authority, and change your password. Potentially enlist in sites that do two factor authentication and make sure they have secure protocols.

Post Reply