Monday, July 16th 2012
NVIDIA Forums Hack: Passwords Not Salted
A group of hackers that claimed responsibility for hacking NVIDIA forums (forums.nvidia.com), which goes by the name "Team Apollo," posted the first piece of its exploits on Pastebin (find it here). The user data dump contains details of every fifth user of the forums. From what we can tell looking at the pasted data (which is now very much in the public domain), the passwords found in the user tables are not salted. NVIDIA was less than honest about that part.
The passwords are stored as raw MD5 hashes, which can be fairly-easily decrypted (when compared to hashes with salt values). To make matters worse, certain MD5 decryption websites have large databases of pre-decrypted MD5 phrases, potentially making decryption these hashes easy. Or you could just use a CUDA-accelerated MD5 decryption tool, which munches through unsalted MD5 hash values at the speed of a small supercomputer. If you have an NVIDIA Forums account, and your passwords on other websites (forums, email accounts, banks) even remotely resemble that of your NVIDIA forums account, it is strongly recommended that you change your passwords on each of those other websites.
The passwords are stored as raw MD5 hashes, which can be fairly-easily decrypted (when compared to hashes with salt values). To make matters worse, certain MD5 decryption websites have large databases of pre-decrypted MD5 phrases, potentially making decryption these hashes easy. Or you could just use a CUDA-accelerated MD5 decryption tool, which munches through unsalted MD5 hash values at the speed of a small supercomputer. If you have an NVIDIA Forums account, and your passwords on other websites (forums, email accounts, banks) even remotely resemble that of your NVIDIA forums account, it is strongly recommended that you change your passwords on each of those other websites.
55 Comments on NVIDIA Forums Hack: Passwords Not Salted
But mainly the first time I have heard of the word salted being used is relation to this situation.
You can't really decrypt a hash, but you can run many, many strings through the algorithm to see if the the hash you get matches the one in questions. This is easily done with dictionaries (as most people use common words for passwords so they can remember them) and with today's hardware can be done very quickly.
However, if the password is something very uncommon or convoluted, they will have to run a brute force attack on the hash. This means they will have to try every combination possible of the string.
This is incredibly hard if a) you have no idea what the length of the string is to begin with, and b) what characters are included in the string.
Here is and example
This is a MD5 hash of a strong password with no salt ... 4fa40cf7dd4c6ce484ef12a59ec28288
Good luck getting that password other than through brute force.
If I salted it it would be infinitely harder, but the point is that if you use a strong password from the start the likelyhood of your hash being compromised in still pretty slim.
I'll let you know when I'm done :laugh:
*edit* Well once I've learnt how to use the program I downloaded, it ripped through one of the examples it had though, took 0.2 ms to crack XD
*edit 2* Got it going, lets see how it goes!
*edit 3* Brute Force mode doesn't seem to be working ( does nothing!) So trying straight mode... this will take a while.
*edit 4* Nothing seems to be working at all XD 0% GPU utilisation ha ha