Monday, July 16th 2012

NVIDIA Forums Hack: Passwords Not Salted

A group of hackers that claimed responsibility for hacking NVIDIA forums (forums.nvidia.com), which goes by the name "Team Apollo," posted the first piece of its exploits on Pastebin (find it here). The user data dump contains details of every fifth user of the forums. From what we can tell looking at the pasted data (which is now very much in the public domain), the passwords found in the user tables are not salted. NVIDIA was less than honest about that part.

The passwords are stored as raw MD5 hashes, which can be fairly-easily decrypted (when compared to hashes with salt values). To make matters worse, certain MD5 decryption websites have large databases of pre-decrypted MD5 phrases, potentially making decryption these hashes easy. Or you could just use a CUDA-accelerated MD5 decryption tool, which munches through unsalted MD5 hash values at the speed of a small supercomputer. If you have an NVIDIA Forums account, and your passwords on other websites (forums, email accounts, banks) even remotely resemble that of your NVIDIA forums account, it is strongly recommended that you change your passwords on each of those other websites.
Add your own comment

55 Comments on NVIDIA Forums Hack: Passwords Not Salted

#2
m1dg3t
WOW! Good lookin' out bta :toast:
Posted on Reply
#3
mayankleoboy1
using CUDA enabled crackers to crack NVIDIA passwords....
:laugh::roll:
Posted on Reply
#5
hhumas
hahahahhahahahah
Posted on Reply
#6
Elmo
already decrypted one:roll:
Posted on Reply
#7
Ikaruga
how do you know it's not salted? seriously please
Posted on Reply
#8
newtekie1
Semi-Retired Folder
A good policy, and one I use, it to not use any similar passwords for important things. Each email address has a totally different password, my bank passwords are also totally different. I vary rarely use the same password for two things, though I do have one password that I use for sites that I'll probably only ever visit once and don't care about.
Posted on Reply
#9
W1zzard
by: Ikaruga
how do you know it's not salted? seriously please
if you md5 12345678 you get 25d55ad283aa400af464c76d713c07ad

search for that text in the posted data and you will find it three times
Posted on Reply
#10
newtekie1
Semi-Retired Folder
by: W1zzard
if you md5 12345678 you get 25d55ad283aa400af464c76d713c07ad

search for that text in the posted data and you will find it three times
OMG! That is the combination to my luggage!
Posted on Reply
#11
Kreij
Senior Monkey Moderator
Hash "qwerty" and I'm sure you will get some matches too.
Posted on Reply
#12
Ikaruga
by: W1zzard
if you md5 12345678 you get 25d55ad283aa400af464c76d713c07ad

search for that text in the posted data and you will find it three times
thank you dear good sir:toast:
Posted on Reply
#13
TheMailMan78
Banstick Dummy
by: newtekie1
A good policy, and one I use, it to not use any similar passwords for important things. Each email address has a totally different password, my bank passwords are also totally different. I vary rarely use the same password for two things, though I do have one password that I use for sites that I'll probably only ever visit once and don't care about.
Indeed. NONE of my passwords are the same.
Posted on Reply
#14
newtekie1
Semi-Retired Folder
by: TheMailMan78
Indeed. NONE of my passwords are the same.
Yeah, in a perfect world no one should have to worry about this. Then again, apparently some of the users used 12345678 as their passwords, so we obviously aren't in a perfect world.:ohwell:
Posted on Reply
#15
Kreij
Senior Monkey Moderator
This is from a local WI news site.
Gives you an idea what people regularly use as passwords.
Posted on Reply
#16
TheMailMan78
Banstick Dummy
by: newtekie1
Yeah, in a perfect world no one should have to worry about this. Then again, apparently some of the users used 12345678 as their passwords, so we obviously aren't in a perfect world.:ohwell:
Well as dumb as I am compared to a few users on TPU about tech stuff I ain't THAT dumb. I think a lot of the older TPU crowd is far more tech savvy then the average user.

I once "fixed" a computer for someone who acted as if they pioneered software engineering yet couldn't figure out why he was getting BSOD's. I sat down on his OEM rig and discovered 32 viruses and his not so well hid porn stash. He said the viruses downloaded the porn. His wife kept asking me if that was true and I just said "Its possible" :laugh:

After she left I said to him "Dude come on. You hid your porn on the desktop in a folder called "(His name) Work Files" This virus knew your first name?" :laugh:
Posted on Reply
#17
DarkOCean
by: newtekie1
Yeah, in a perfect world no one should have to worry about this. Then again, apparently some of the users used 12345678 as their passwords, so we obviously aren't in a perfect world.:ohwell:
They obviously did not consider their accounts as being important.
Posted on Reply
#18
W1zzard
I use asdfgh and variations on many sites that want me to register for some lame reason and I don't want to give them any hints of my real passwords
Posted on Reply
#19
Elmo
by: TheMailMan78
Well as dumb as I am compared to a few users on TPU about tech stuff I ain't THAT dumb. I think a lot of the older TPU crowd is far more tech savvy then the average user.

I once "fixed" a computer for someone who acted as if they pioneered software engineering yet couldn't figure out why he was getting BSOD's. I sat down on his OEM rig and discovered 32 viruses and his not so well hid porn stash. He said the viruses downloaded the porn. His wife kept asking me if that was true and I just said "Its possible" :laugh:

After she left I said to him "Dude come on. You hid your porn on the desktop in a folder called "(His name) Work Files" This virus knew your first name?" :laugh:
Now this deserves a gold award as it made me laugh.
Posted on Reply
#20
Major_A
After having a few friends get their email accounts hacked I started using 16-32 character passwords. I know that they are still vulnerable but the hope is they are harder to crack than lazier people. Kind of like the expression about 2 people and a bear, "I don't have to run faster than the bear, just faster than you".

If you want a totally random password then I'd suggest using PCTools Secure Password Generator.
http://www.pctools.com/guides/password/
Posted on Reply
#21
johnnyfiive
Pfft. I use 'passw0rd' and never have been hacked. [0_o]/
Posted on Reply
#22
Aleksander
Why did they publish the passwords???
Posted on Reply
#23
1c3d0g
On a more serious note: are TPU's forum passwords salted? You just never know what these script kiddie fuckers will target next... :shadedshu
Posted on Reply
#24
pantherx12
by: Aleksander Dishnica
Why did they publish the passwords???
To prove that they had them.

Is anyone elses Techpowerup password techpowerup.....
Posted on Reply
#25
Oberon
by: Aleksander Dishnica
Why did they publish the passwords???
Do they really need justification after stealing them in the first place? Looks like they kind of threw that whole "integrity" thing out the window already.
Posted on Reply
Add your own comment