GoFuckYourself.com - Adult Webmaster Forum

- Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)

- - Was CrakRevenue Hacked? (https://gfy.com/showthread.php?t=1183829)

Fiddy people who were not hacked but some thought they were so a thread was made and the votes were cast and the winner is....... YOU

Well we found out they have a good hash decryption+ salt solution, which many companies would buy

Quote:

Originally Posted by Brian837 (Post 20726904)

So were they hacked? Still not sure

Bumparooni for crack.

2 fiddy for hash decryption + salt solution!

going once.

We don't know that.

But we do know there is an epic groundbreaking solution for hash decryption + salt!!!

So basically what we discovered is that if you're using crakrevenue your passwords are stored in plain text? Copy.

This went on the ignore list quick by crak

Another bump for perfect "hash decryption + salt" solution!

Busy for a bump, not busy for a great solution!

Another day, another great solution

Reminds me a little of my bank.

Password length must be 6 characters exactly, letters and numbers only.

A few years ago they changed from a standard web field to an "onscreen keyboard" that you have to click to enter the password. It only lets you enter upper case, but there were no problems with logging me in, even though my password (previously entered with the keyboard) was mixed case. If they were using hashes, there's no way that the uppercase version I entered would match the stored mixed case password. Wouldn't be unreasonable to guess they could be storing the pass in plain text format. Then again, maybe they have some o' dat special decryption algorithm + salt

Quote:

Originally Posted by Muad'Dib (Post 20727286)

:pimp:pimp

i don't know why they have limitations on password length anyway

Quote:

Originally Posted by dynastoned (Post 20742058)

could they have written something up for when people login it counts the characters of the password before it's encrypted/decrypted or however the login process works and once login page has finished it carries the true or false of $pw > 16 character information to your account. then if it's true that you have a password that is greater than 16 chars it sends the OP's email to your email addy they have for u in the db? or would that somehow compromise your password?

im not sure how a login page works exactly so i don't know but it seems possible.

Yes, this is possible, because even if the system uses hashes internally, you submit the password to the login page in cleartext. So it would certainly be possible for a program to do a once-off check and notify if it sees the password is too long.

Question is WHY is there the limit in the first place for crak? Password prompts can be made fixed size on a page - they'll just scroll sideways - and there's no real performance difference between sending 5 characters or 500 characters. So why are passwords limited to this length? Even if crak are encrypting them (special decryption algorithm + salt) that means they can be decrypted. Why would a program ever need to access your cleartext password?

:1orglaugh:1orglaugh:1orglaugh:1orglaugh:1orglaugh

Quote:

Originally Posted by Brian837 (Post 20726904)

So were they hacked? Still not sure

:winkwink::winkwink::winkwink:

Quote:

Originally Posted by ladida (Post 20733798)

Another bump for perfect "hash decryption + salt" solution!

Quote:

Originally Posted by rowan (Post 20742075)

lol good thing u caught my post i tried to add to the post n somehow edited it out. doing too many things at once.

but yeah things that make you go hmm...

Quote:

Originally Posted by rowan (Post 20741787)

No. They just stored it without case. Banks have specific limitations, and yours were letters and numbers only, so they "threw" your pass through something of an regex that would check if the pass had any of those and either block it (if it had special chars) or lowercase/uppercase all letters that were initially input. Thats why not it doesnt matter what u enter.