Monday, July 16th 2012

NVIDIA Forums Hack: Passwords Not Salted

A group of hackers that claimed responsibility for hacking NVIDIA forums (forums.nvidia.com), which goes by the name "Team Apollo," posted the first piece of its exploits on Pastebin (find it here). The user data dump contains details of every fifth user of the forums. From what we can tell looking at the pasted data (which is now very much in the public domain), the passwords found in the user tables are not salted. NVIDIA was less than honest about that part.

The passwords are stored as raw MD5 hashes, which can be fairly-easily decrypted (when compared to hashes with salt values). To make matters worse, certain MD5 decryption websites have large databases of pre-decrypted MD5 phrases, potentially making decryption these hashes easy. Or you could just use a CUDA-accelerated MD5 decryption tool, which munches through unsalted MD5 hash values at the speed of a small supercomputer. If you have an NVIDIA Forums account, and your passwords on other websites (forums, email accounts, banks) even remotely resemble that of your NVIDIA forums account, it is strongly recommended that you change your passwords on each of those other websites.
Add your own comment

55 Comments on NVIDIA Forums Hack: Passwords Not Salted

#1
newtekie1
Semi-Retired Folder
by: Oberon
Do they really need justification after stealing them in the first place? Looks like they kind of threw that whole "integrity" thing out the window already.
It might sound backwards, but some hackers do have integrity. Some hack into somewhere just to do it, then alert whoever they hacked to inform them how they did it so their security can be strengthened.

Though the people that hacked nVidia were obviously just doing it to be dicks.
Posted on Reply
#2
Aleksander
First of all, if i hack a password, i never tell anyone i stole (hacked) the password. I never use it to block their account
No matter what would be my 'nickname'
This all was made and payed very well to the programmers who cracked the forum for just that script in the pastebin. Read what they wrote very well. (i am referring to all)
That is the true reason why they hacked the forum.
Bear in mind that no matter how much i 'love god' i am never going to pay a hacker to hack nvidia forums. So the real reason, is to make you believe that these GREAT HACKERS, achieved that greatness on what they wrote on pastebin. It is just like phishing mind. The hack was payed very well. There is no real reason why the Apollo would hack the forum.
Why exactly Nvidia? What is the real matter? If you find this, you will surely find the next hacking, not only on internet, but in real life!

Actually reading it again, why apollo? Really he says religion and political and other stuff? Where is the real name he should have used?
(You know what i am talking about)
Posted on Reply
#3
tacosRcool
good thing I don't have an account there!
Posted on Reply
#4
TheMailMan78
Big Member
by: newtekie1
It might sound backwards, but some hackers do have integrity. Some hack into somewhere just to do it, then alert whoever they hacked to inform them how they did it so their security can be strengthened.

Though the people that hacked nVidia were obviously just doing it to be dicks.
I agree. But with that being said such hackers don't brag. The ones that brag are dicks as you said.
Posted on Reply
#5
KissSh0t
All I can say to "Team Apollo" is....

0101100101101111011101010010000001110000011000010111010001101000011001010111010001101001011000110010000001101000011000010110001101101011011001010111001000100000011100110110001101110101011011010010110000100000011001110110111100100000011100000110110001100001011110010010000001110111011010010111010001101000001000000111001101101111011011010110010101110100011010000110100101101110011001110010000001100101011011000111001101100101001000000110110001101001011010110110010100100000010100110110111101101110011110010010000001101111011100100010000001010101011000100110100101110011011011110110011001110100001011100010111000101110
Posted on Reply
#6
Disruptor4
by: tacosRcool
good thing I don't have an account there!
I don't remember if I do or not. Is there a way to find out?
Posted on Reply
#7
theJesus
by: johnnyfiive
Pfft. I use 'passw0rd' and never have been hacked. [0_o]/
Apparently you don't use that for here. :p
by: pantherx12
Is anyone elses Techpowerup password techpowerup.....
Apparently not you. :p
by: Disruptor4
I don't remember if I do or not. Is there a way to find out?
One would hope that they'd send an email to anybody with an account warning them to change their passwords . . .
Posted on Reply
#8
Disruptor4
by: KissSh0t
All I can say to "Team Apollo" is....

0101100101101111011101010010000001110000011000010111010001101000011001010111010001101001011000110010000001101000011000010110001101101011011001010111001000100000011100110110001101110101011011010010110000100000011001110110111100100000011100000110110001100001011110010010000001110111011010010111010001101000001000000111001101101111011011010110010101110100011010000110100101101110011001110010000001100101011011000111001101100101001000000110110001101001011010110110010100100000010100110110111101101110011110010010000001101111011100100010000001010101011000100110100101110011011011110110011001110100001011100010111000101110
What's wrong with Ubi?

by: theJesus
One would hope that they'd send an email to anybody with an account warning them to change their passwords . . .
One would hope so... and I think they are/have. Just haven't received one yet so yeah.
Posted on Reply
#9
KissSh0t
by: Disruptor4
What's wrong with Ubi?
Not allowing me to play the game I bought for my laptop where I don't have constant internet access.. lol.

Interesting Sony wasn't mentioned xD
Posted on Reply
#10
TRWOV
by: W1zzard
I use asdfgh and variations on many sites that want me to register for some lame reason and I don't want to give them any hints of my real passwords
:laugh: I use akjwss (an old Geocities isued password) for the same reason. I must have 30-40 forum accounts with that password (pro tip: my user name for those isn't TRWOV either) :cool:
Posted on Reply
#11
Mussels
Moderprator
actually, techpowerup has some cool password theft protection technology.


if you type your password, it appears in plain text to you, and asterisks to everyone else:


Mussels
***********
Posted on Reply
#12
TRWOV
wow it's true

TRWOV
******************
Posted on Reply
#13
theJesus
by: Mussels
actually, techpowerup has some cool password theft protection technology.


if you type your password, it appears in plain text to you, and asterisks to everyone else:


Mussels
***********
lemme try that:

*********
Posted on Reply
#14
TRWOV
I feel safer already :toast:
Posted on Reply
#16
jigar2speed
by: remixedcat
the password is:
bellybutton
Thanks i have you now :laugh:
Posted on Reply
#17
Ikaruga
Guys, I was talking to someone at Nvidia yesterday, and he told me that the software they use doesn't even has an option to store the passwords in plain md5, and they are all salted. I understand this is something Nvidia would not rush to admit, but do you think it's possible that the pastebin info is fake?
Posted on Reply
#18
Aleksander
Really stupid. I was learning today that passwords with sha1 are extremely easy to implement, though they didn't waste money on their website.
And even want to earn millions!
Posted on Reply
#19
Mussels
Moderprator
by: Ikaruga
Guys, I was talking to someone at Nvidia yesterday, and he told me that the software they use doesn't even has an option to store the passwords in plain md5, and they are all salted. I understand this is something Nvidia would not rush to admit, but do you think it's possible that the pastebin info is fake?
entirely possible.
Posted on Reply
#20
Jizzler
The notice is still up: http://www.nvidia.com/content/forums/index.html

If faked, it would have taken less than 5 minutes for nVidia to discredit the hacking. So it's either real and they're investigating how it happened... or it's an nVidia plot to frame Apollo!
Posted on Reply
#21
TheMailMan78
Big Member
by: Jizzler
The notice is still up: http://www.nvidia.com/content/forums/index.html

If faked, it would have taken less than 5 minutes for nVidia to discredit the hacking. So it's either real and they're investigating how it happened... or it's an nVidia plot to frame Apollo!
Yes I'm sure its a vast conspiracy to frame Team Apollo. I can see it all now. Jen-Hsun dressed up like M. Bison from Street Fighter telling his minions to frame and stop Team Apollo and all their righteous endeavors to bring down evil corporations via the Nvidia forums. MASTER PLAN INDEED.
Posted on Reply
#22
Aquinus
Resident Wat-man
by: Aleksander Dishnica
Really stupid. I was learning today that passwords with sha1 are extremely easy to implement, though they didn't waste money on their website.
And even want to earn millions!
They do use a hashing algorithm, but what good is the hash if you're not salting the password. It doesn't take a lot of brute force power for a short password like "foobarpass," you add a salt to make it something like, "supersaltfoobarpasssuperpepper," that is much harder to brute force.

You also don't need to implement SHA1, many languages already have functions or classes and methods that handle hashing.
Posted on Reply
#23
claylomax
by: newtekie1
OMG! That is the combination to my luggage!
Priceless! :D
Posted on Reply
#24
Kreij
Senior Monkey Moderator
by: Aquinus
They do use a hashing algorithm, but what good is the hash if you're not salting the password. It doesn't take a lot of brute force power for a short password like "foobarpass," you add a salt to make it something like, "supersaltfoobarpasssuperpepper," that is much harder to brute force.
That has got to be the worst example of what using a random salt does to a password that I've ever seen. :laugh:

But you are right, Aquinus, salting makes it a lot harder to crack as well as using other things like multiple passes of encryption in combination with salts.

That being said, if you use a strong password and it's not salted, it still will have to be brute forced which is quite time consuming even with very powerful hardware.
Posted on Reply
#25
Widjaja
Unsalted hash passwords.....
Posted on Reply
Add your own comment