NVIDIA Forums Hack: Passwords Not Salted

btarunr · Jul 16, 2012, 03:48 PM

A group of hackers that claimed responsibility for hacking NVIDIA forums (forums.nvidia.com), which goes by the name "Team Apollo," posted the first piece of its exploits on Pastebin (find it here). The user data dump contains details of every fifth user of the forums. From what we can tell looking at the pasted data (which is now very much in the public domain), the passwords found in the user tables are not salted. NVIDIA was less than honest about that part.

The passwords are stored as raw MD5 hashes, which can be fairly-easily decrypted (when compared to hashes with salt values). To make matters worse, certain MD5 decryption websites have large databases of pre-decrypted MD5 phrases, potentially making decryption these hashes easy. Or you could just use a CUDA-accelerated MD5 decryption tool, which munches through unsalted MD5 hash values at the speed of a small supercomputer. If you have an NVIDIA Forums account, and your passwords on other websites (forums, email accounts, banks) even remotely resemble that of your NVIDIA forums account, it is strongly recommended that you change your passwords on each of those other websites.

Ikaruga · Jul 16, 2012, 03:55 PM

m1dg3t · Jul 16, 2012, 03:56 PM

WOW! Good lookin' out bta

mayankleoboy1 · Jul 16, 2012, 04:05 PM

using CUDA enabled crackers to crack NVIDIA passwords....

MaKCuMyC · Jul 16, 2012, 04:07 PM

Again.

hhumas · Jul 16, 2012, 04:16 PM

hahahahhahahahah

Elmo · Jul 16, 2012, 04:26 PM

already decrypted one

Ikaruga · Jul 16, 2012, 04:33 PM

how do you know it's not salted? seriously please

newtekie1 · Jul 16, 2012, 04:38 PM

A good policy, and one I use, it to not use any similar passwords for important things. Each email address has a totally different password, my bank passwords are also totally different. I vary rarely use the same password for two things, though I do have one password that I use for sites that I'll probably only ever visit once and don't care about.

W1zzard · Jul 16, 2012, 04:38 PM

Quote:

Originally Posted by Ikaruga

how do you know it's not salted? seriously please

if you md5 12345678 you get 25d55ad283aa400af464c76d713c07ad

search for that text in the posted data and you will find it three times

newtekie1 · Jul 16, 2012, 04:40 PM

Quote:

Originally Posted by W1zzard

if you md5 12345678 you get 25d55ad283aa400af464c76d713c07ad

search for that text in the posted data and you will find it three times

OMG! That is the combination to my luggage!

Kreij · Jul 16, 2012, 04:40 PM

Hash "qwerty" and I'm sure you will get some matches too.

Ikaruga · Jul 16, 2012, 04:41 PM

Quote:

Originally Posted by W1zzard

if you md5 12345678 you get 25d55ad283aa400af464c76d713c07ad

search for that text in the posted data and you will find it three times

thank you dear good sir

TheMailMan78 · Jul 16, 2012, 04:42 PM

Quote:

Originally Posted by newtekie1

A good policy, and one I use, it to not use any similar passwords for important things. Each email address has a totally different password, my bank passwords are also totally different. I vary rarely use the same password for two things, though I do have one password that I use for sites that I'll probably only ever visit once and don't care about.

Indeed. NONE of my passwords are the same.

newtekie1 · Jul 16, 2012, 04:44 PM

Quote:

Originally Posted by TheMailMan78

Indeed. NONE of my passwords are the same.

Yeah, in a perfect world no one should have to worry about this. Then again, apparently some of the users used 12345678 as their passwords, so we obviously aren't in a perfect world.

Kreij · Jul 16, 2012, 04:57 PM

This is from a local WI news site.
Gives you an idea what people regularly use as passwords.

TheMailMan78 · Jul 16, 2012, 05:04 PM

Quote:

Originally Posted by newtekie1

Yeah, in a perfect world no one should have to worry about this. Then again, apparently some of the users used 12345678 as their passwords, so we obviously aren't in a perfect world.

Well as dumb as I am compared to a few users on TPU about tech stuff I ain't THAT dumb. I think a lot of the older TPU crowd is far more tech savvy then the average user.

I once "fixed" a computer for someone who acted as if they pioneered software engineering yet couldn't figure out why he was getting BSOD's. I sat down on his OEM rig and discovered 32 viruses and his not so well hid porn stash. He said the viruses downloaded the porn. His wife kept asking me if that was true and I just said "Its possible"

After she left I said to him "Dude come on. You hid your porn on the desktop in a folder called "(His name) Work Files" This virus knew your first name?"

DarkOCean · Jul 16, 2012, 05:07 PM

Quote:

Originally Posted by newtekie1

Yeah, in a perfect world no one should have to worry about this. Then again, apparently some of the users used 12345678 as their passwords, so we obviously aren't in a perfect world.

They obviously did not consider their accounts as being important.

W1zzard · Jul 16, 2012, 05:10 PM

I use asdfgh and variations on many sites that want me to register for some lame reason and I don't want to give them any hints of my real passwords

Elmo · Jul 16, 2012, 05:12 PM

Quote:

Originally Posted by TheMailMan78

Well as dumb as I am compared to a few users on TPU about tech stuff I ain't THAT dumb. I think a lot of the older TPU crowd is far more tech savvy then the average user.

I once "fixed" a computer for someone who acted as if they pioneered software engineering yet couldn't figure out why he was getting BSOD's. I sat down on his OEM rig and discovered 32 viruses and his not so well hid porn stash. He said the viruses downloaded the porn. His wife kept asking me if that was true and I just said "Its possible"

After she left I said to him "Dude come on. You hid your porn on the desktop in a folder called "(His name) Work Files" This virus knew your first name?"

Now this deserves a gold award as it made me laugh.

Major_A · Jul 16, 2012, 05:23 PM

After having a few friends get their email accounts hacked I started using 16-32 character passwords. I know that they are still vulnerable but the hope is they are harder to crack than lazier people. Kind of like the expression about 2 people and a bear, "I don't have to run faster than the bear, just faster than you".

If you want a totally random password then I'd suggest using PCTools Secure Password Generator.
http://www.pctools.com/guides/password/

johnnyfiive · Jul 16, 2012, 05:37 PM

Pfft. I use 'passw0rd' and never have been hacked. [0_o]/

Aleksander · Jul 16, 2012, 05:52 PM

Why did they publish the passwords???

1c3d0g · Jul 16, 2012, 05:55 PM

On a more serious note: are TPU's forum passwords salted? You just never know what these script kiddie fuckers will target next...

pantherx12 · Jul 16, 2012, 05:56 PM

Quote:

Originally Posted by Aleksander Dishnica

Why did they publish the passwords???

To prove that they had them.

Is anyone elses Techpowerup password techpowerup.....

Jul 16, 2012, 03:48 PM	#1
btarunr Editor & Senior Moderator Join Date: Oct 2007 Location: Hyderabad, India Posts: 14,983 (7.29/day) Thanks: 788 Thanked 12,907 Times in 5,654 Posts System Specs	NVIDIA Forums Hack: Passwords Not Salted A group of hackers that claimed responsibility for hacking NVIDIA forums (forums.nvidia.com), which goes by the name "Team Apollo," posted the first piece of its exploits on Pastebin (find it here). The user data dump contains details of every fifth user of the forums. From what we can tell looking at the pasted data (which is now very much in the public domain), the passwords found in the user tables are not salted. NVIDIA was less than honest about that part. The passwords are stored as raw MD5 hashes, which can be fairly-easily decrypted (when compared to hashes with salt values). To make matters worse, certain MD5 decryption websites have large databases of pre-decrypted MD5 phrases, potentially making decryption these hashes easy. Or you could just use a CUDA-accelerated MD5 decryption tool, which munches through unsalted MD5 hash values at the speed of a small supercomputer. If you have an NVIDIA Forums account, and your passwords on other websites (forums, email accounts, banks) even remotely resemble that of your NVIDIA forums account, it is strongly recommended that you change your passwords on each of those other websites.

System Name:	Blackbox
Processor:	Intel Core i7-950
Motherboard:	Intel Extreme Series DX58OG
Cooling:	Xigmatek Aegir SD128264 with IC Diamond 24 Thermal Compound
Memory:	12GB ADATA Premier (3x 4GB) DDR3-1333 MHz
Video Card:	Palit GeForce GTX 680 JetStream 2GB outfitted with IC Diamond 24 TIM
Hard Disk:	Samsung 840 Series 250GB, Random 8 TB storage
Optical Drive:	HT-LG DVD-RW
CRT/LCD Model:	ViewSonic VX2450wm-LED
Case:	Cooler Master CM690 Window
Sound Card:	Creative SB Recon3D
PSU:	Corsair HX850W
Software:	Windows 8 Pro 64-bit

Jul 16, 2012, 03:56 PM	#3
m1dg3t Join Date: May 2010 Location: Canada Posts: 1,902 (1.73/day) Thanks: 630 Thanked 429 Times in 353 Posts System Specs	WOW! Good lookin' out bta __________________ Why dazzle 'em with brilliance when you can baffle 'em with bullshit. Alterius non sit, qui potest esse sui! Und setzet ihr nicht das leben ein, Nie wird euch das leben gewonnen sein! If knowledge is power, then ignorance is bliss! If god didn't want them sheared, he wouldn't have made them sheep!

System Name:	m1dg3t \| DeathBox
Processor:	3570k \| q9550 @ 3.77 1.325v BIOS
Motherboard:	Asrock z77e iTX \| p5q Dlx 2301 BIOS
Cooling:	Custom Water \| D-14 & HR-03gt
Memory:	Samsung MV-3V4G3D \| OcZ RpR 2g x 4 @ 1067 2.2v
Video Card:	MSi 7950 tf3 \| Asus 5870 V2 @ 900 / 1275
Hard Disk:	Adata sx900 256Gb / WD2500HHTZ \| WD 1001 FALS x 2
Optical Drive:	As Needed \| LG ch12 BD
CRT/LCD Model:	BenQ gw2750hm \| 46" Sharp Quatron
Case:	BitFenix Prodigy \| Antec Fusion Remote MAX
Sound Card:	Onboard > Yamaha HTR 6290 \| Xonar HDAV1.3 > Yamaha DSP z7
PSU:	Ocz mXp700w \| Ocz zx850w
Software:	Win7 Home \| Xp sp3 & Vista ultimate
Benchmarks:	Epeen!! Who needs epeen??

System Name:	Avalon
Processor:	Intel® Core™ i7-3770K
Motherboard:	ASUS P8Z68-V PRO/GEN3
Cooling:	Thermalright HR-02 Macho Rev. A (B&W Edition) @ Passive
Memory:	2x Samsung M378B5273DH0-CH9 @ 2133 MHz 10-11-11-28-1T 1.5V
Video Card:	Intel® HD Graphics 4000
Hard Disk:	SSD: OCZ Vertex 4 128 GB; RAID0: 2x WDC WD10JPVT
Optical Drive:	Optiarc DVD RW AD-7260S
CRT/LCD Model:	SΛMSUNG S27A550
Case:	Cooler Master CM 690 II Advanced White
PSU:	Seasonic X-460 FANLESS
Software:	Windows 7 SP1 64-bit

Jul 16, 2012, 03:55 PM	#2
Ikaruga Join Date: Feb 2011 Posts: 642 (0.78/day) Thanks: 391 Thanked 127 Times in 89 Posts

Jul 16, 2012, 04:05 PM	#4
mayankleoboy1 Join Date: Apr 2011 Posts: 12 (0.02/day) Thanks: 1 Thanked 6 Times in 2 Posts	using CUDA enabled crackers to crack NVIDIA passwords....

Jul 16, 2012, 04:07 PM	#5
MaKCuMyC Join Date: Mar 2011 Posts: 46 (0.06/day) Thanks: 5 Thanked 4 Times in 4 Posts System Specs	Again.

Jul 16, 2012, 04:16 PM	#6
hhumas Join Date: Jun 2011 Location: Islamabad Posts: 529 (0.76/day) Thanks: 170 Thanked 22 Times in 13 Posts System Specs	hahahahhahahahah __________________ “http://www.heatware.com/eval.php?id=76372”

System Name:	Hhumas-PC
Processor:	Intel(R) Core(TM)2 Extreme CPU X9650 @ 3.00GHz (4 CPUs), ~3.0GHz
Motherboard:	Asus P5W DH Deluxe
Cooling:	ZALMAN CNPS 9700 NT 110mm 2 Ball Ultra Quiet
Memory:	OCZ Platinium 2x2GB
Video Card:	ZOTAC GeForce GTX 680 2GB 256-bit GDDR5
Hard Disk:	WD Green 500 GB , WD 500 GB
Optical Drive:	None
CRT/LCD Model:	Dell U2410F
Case:	Casecom
Sound Card:	Creative Sound Blaster X-Fi Titanium Fatal1ty Pro
PSU:	Corsair HX1000
Software:	Windows 7 Ultimate 32 Bit

Jul 16, 2012, 04:26 PM	#7
Elmo Join Date: May 2012 Location: Malaysia Posts: 254 (0.70/day) Thanks: 16 Thanked 35 Times in 31 Posts System Specs	already decrypted one __________________ ⎝⏠⏝⏠⎠

System Name:	Balls
Processor:	I5 2400
Motherboard:	GA-H67MA-UD2H-B3
Memory:	16GB ddr3
Video Card:	1gb gddr5 evga gtx460
Hard Disk:	60gb corsair force3 120gb mushkin chronos 500gb wd green
Optical Drive:	24x dvdrw
CRT/LCD Model:	Samsung 23" led 1080p
PSU:	Cm 600w 80+
Software:	win7 ultimate 64 bit

Jul 16, 2012, 04:33 PM	#8
Ikaruga Join Date: Feb 2011 Posts: 642 (0.78/day) Thanks: 391 Thanked 127 Times in 89 Posts	how do you know it's not salted? seriously please

Jul 16, 2012, 04:38 PM	#9
newtekie1 Semi-Retired Folder Join Date: Nov 2005 Location: Indiana Posts: 17,754 (6.48/day) Thanks: 780 Thanked 5,116 Times in 3,707 Posts System Specs	A good policy, and one I use, it to not use any similar passwords for important things. Each email address has a totally different password, my bank passwords are also totally different. I vary rarely use the same password for two things, though I do have one password that I use for sites that I'll probably only ever visit once and don't care about. __________________ Rig1: System Specs. Rig2: A8-5600K@4.4GHz / AsRock FM2A75 Pro4 / 8GB Corsair DDR3-1600 9-9-9-24 / HD7560D / Samsung DVD-Burner / 1.5TB WD Green + 3x3TB WD RED in RAID5 Rig3: Athlon X2 4200+ / M4A79 Deluxe / 4GB G.Skill Pi DDR2-800 4-4-4-12 / GT430 / Sony DVD-Burner / 500GB WD Rig4: Phenom II x6 1605T @ 3.6GHz / Asus M5A99X Evo / 8GB PNY DDR3-1600 9-9-9 / GTX470 & GTX470 / Samsung DVD-Burner / 1.5TB Seagate

Processor:	Intel Core i7 875K@4.0GHz(200x20)
Motherboard:	eVGA P55 FTW 200
Cooling:	Thermalright Ultra-120 Extreme w/ Corsair SP120 High Performance Edition
Memory:	8GB Corsair DDR3-1600 7-7-7-20
Video Card:	ASUS GTX 670 4GB DirectCU II @ 1015/3600
Hard Disk:	1TB Seagate 7200.12(OS), 3x 1.5TB Seagate 7200.11 in RAID 5
Optical Drive:	Lite-On Blu-Ray Combo Drive IHES108
CRT/LCD Model:	HP 25" 2509m 1080p LCD
Case:	Lian-Li Lancool Metal Boned K7 w/ Windowed Side Panel
Sound Card:	Onboard is good enough for me
PSU:	Corsair HX850
Software:	Windows 7 x64 Professional

Processor:	Intel Core i7-2600K @ 3.4 GHz
Motherboard:	ASUS P8Z68-V Pro
Memory:	3x 2048 MB Mushkin DDR3
Video Card:	ASUS GeForce GTX 670 Direct CU II TOP
Hard Disk:	Crucial C300 128 GB, WD6400AAKS 640 GB, WD15EADS 1.5 TB
Optical Drive:	BenQ DW1640
CRT/LCD Model:	Dell U3011 30", 2560x1600 + 19" 1280x1024
Case:	NZXT H2
Sound Card:	On-board Realtek HD
PSU:	Kingwin Absolute Platinum 550 W
Software:	Windows 7 64-bit

Jul 16, 2012, 04:40 PM	#12
Kreij Hardcore Monkey Moderator Join Date: Feb 2007 Location: Cheeseland (Wisconsin, USA) Posts: 12,117 (5.27/day) Thanks: 591 Thanked 5,493 Times in 2,937 Posts System Specs	Hash "qwerty" and I'm sure you will get some matches too. __________________ Cloud (noun, singular): A dynamic arrangement of multiple potential single points of failure, with a user at one end and their data at the other. Get more tech news on a wide variety of topics at NextPowerUp

Processor:	Intel Core 2 Quad QX9650 Extreme @ 3.0 GHz
Motherboard:	Asus Rampage Formula
Cooling:	ZeroTherm Nirvana NV120 Premium
Memory:	8GB (4 x 2GB) Corsair Dominator PC2-8500
Video Card:	2 x Sapphire Radeon HD6970
Hard Disk:	2 x Seagate Barracuda 320GB in RAID 0
Optical Drive:	Sony DRU-120C DVD-RW
CRT/LCD Model:	Dell 3007WFP 30" LCD (2560 x 1600)
Case:	Thermaltake Armor w/ 250mm Side Fan
Sound Card:	SupremeFX 8ch Audio
PSU:	Thermaltake Toughpower 750W Modular
Software:	Win8 Pro x64 / Cat 12.10

System Name:	The Mailbox 3.5
Processor:	Intel i7 2600k @ 3.8GHz
Motherboard:	ASUS Maximus IV Gene-Z
Cooling:	Stock
Memory:	G.SKILL Sniper Series 8GB DDR3 1866: 9-9-9-24
Video Card:	EVGA GTX670 "FTW" Edition @ 1006MHz
Hard Disk:	256gb M4 SSD, 500Gb WD (7200)
Optical Drive:	LG - 24x Double-Layer DVD±RW/CD-RW Drive
CRT/LCD Model:	24" ASUS 1920 x 1080
Case:	Cooler Master 922 HAF
Sound Card:	SupremeFX X-Fi 2 with Bose Companion 2 speakers.
PSU:	SeaSonic X Series X650 Gold
Software:	Windows 8 Pro w/Media Center 64bit
Benchmarks:	Benching is for bitches.

Jul 16, 2012, 04:57 PM	#16
Kreij Hardcore Monkey Moderator Join Date: Feb 2007 Location: Cheeseland (Wisconsin, USA) Posts: 12,117 (5.27/day) Thanks: 591 Thanked 5,493 Times in 2,937 Posts System Specs	This is from a local WI news site. Gives you an idea what people regularly use as passwords. __________________ Cloud (noun, singular): A dynamic arrangement of multiple potential single points of failure, with a user at one end and their data at the other. Get more tech news on a wide variety of topics at NextPowerUp

System Name:	( . Y . )
Processor:	e2160
Motherboard:	asus p5vd2-mx
Memory:	2gb ddr2 533
Video Card:	4850
Hard Disk:	maxtor 200gb
CRT/LCD Model:	17" lg
Case:	custom benchtable aka two piece of wood on a stick
Sound Card:	onboard
PSU:	something 600w(not really)
Software:	windows 7 x86 ha!
Benchmarks:	highest in the world...really !

Jul 16, 2012, 05:10 PM	#19
W1zzard Benevolent Dictator Join Date: May 2004 Location: Stuttgart, Germany Posts: 13,789 (4.18/day) Thanks: 184 Thanked 10,270 Times in 3,173 Posts System Specs	I use asdfgh and variations on many sites that want me to register for some lame reason and I don't want to give them any hints of my real passwords

Jul 16, 2012, 05:23 PM	#21
Major_A Join Date: Jun 2009 Location: Houston, TX Posts: 128 (0.09/day) Thanks: 13 Thanked 25 Times in 24 Posts System Specs	After having a few friends get their email accounts hacked I started using 16-32 character passwords. I know that they are still vulnerable but the hope is they are harder to crack than lazier people. Kind of like the expression about 2 people and a bear, "I don't have to run faster than the bear, just faster than you". If you want a totally random password then I'd suggest using PCTools Secure Password Generator. http://www.pctools.com/guides/password/

System Name:	2600k
Processor:	i7 2600K
Motherboard:	Intel DZ68BC
Cooling:	Asetek 550LC
Memory:	16GB
Video Card:	GTX 570
Hard Disk:	120GB Agility 3/2TB WD Caviar Black x 2/Intel 311 (Cache Drive)
Optical Drive:	LG Blu-Ray ROM
CRT/LCD Model:	Samsung 2253BW (1680x1050)
Case:	Lian Li PC-8FIR (Silver)
Sound Card:	X-Fi Titanium Fata1ity
PSU:	Cooler Master Silent Pro M 1000W
Software:	Win 7 Pro x64 SP1
Benchmarks:	Logitech G500 \| Razer Lycosa Mirror \| Logitech Z-5300

Jul 16, 2012, 05:37 PM	#22
johnnyfiive Join Date: Apr 2008 Location: Tucson, AZ Posts: 2,975 (1.60/day) Thanks: 740 Thanked 856 Times in 537 Posts System Specs	Pfft. I use 'passw0rd' and never have been hacked. [0_o]/ __________________ [o_0] - GO BUCKEYES! ------------------------------------------------------ HEATWARE /MY KEYBOARD / VIDEO OF MY LGA 2011 RIG ------------------------------------------------------ Steam: johnnyfiive ORIGIN: johnny5iive League of Legends: 5iive

System Name:	K6-II 8320
Processor:	FX 8320 @ 4.7GHz (1.476v)
Motherboard:	Gigabyte 970 UD3
Cooling:	Corsair H100
Memory:	GSkill Ares 1866 8GB
Video Card:	Gigabyte 7870
Hard Disk:	Intel 330 120GB
Optical Drive:	LG R/W+/-[0_o]/
CRT/LCD Model:	Dell UltraSharp U2713HM
Case:	Corsair 400R
Sound Card:	Onboard
PSU:	Corsair GS700
Software:	Windows 8 Professional 64-Bit

Jul 16, 2012, 05:52 PM	#23
Aleksander Join Date: Dec 2009 Posts: 3,028 (2.39/day) Thanks: 648 Thanked 280 Times in 228 Posts System Specs	Why did they publish the passwords???

System Name:	Mercury
Processor:	Phenom II x4 B50
Motherboard:	ASUS M4A89GTD PRO
Cooling:	Cooler Master Hyper TX3
Memory:	6GB Ram (4GBx1 Corsair 2GBx1 Nanya)
Video Card:	PowerColor AX6770 V2.0
Hard Disk:	1TB Hitachi, 500 GB WD Blue
Optical Drive:	DVD-RAM
CRT/LCD Model:	Philips 247E-LPH 24" 1920x1080
Case:	Mercury
Sound Card:	Integrated Realtek
PSU:	Corsair 750TX
Software:	Windows 7 64-bit
Benchmarks:	Maybe it is time to benchmark :D

Jul 16, 2012, 05:55 PM	#24
1c3d0g Join Date: Dec 2007 Posts: 615 (0.31/day) Thanks: 2,255 Thanked 47 Times in 38 Posts	On a more serious note: are TPU's forum passwords salted? You just never know what these script kiddie fuckers will target next...

System Name:	Panther's PC
Processor:	FX8120 4.5 ghz + 0.125 volts over stock
Motherboard:	Gigabyte 990fxa ud3
Cooling:	Ek Supreme, Coolingking Tripple Thick Copper Radiator
Memory:	Hyperx 4x2gb 1600mhz
Video Card:	460 768mb : [
Hard Disk:	WD blue 500gb
CRT/LCD Model:	AOC HD
Case:	Mountain Mods U2-UFO
Sound Card:	Audigy z2
PSU:	Powercool 750w modular PSU ( GAMBLING YAY!)
Software:	Windows SEVEN
Benchmarks:	Pffft benchmarking for me is for the lulz only!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
NVIDIA Forums Hacked	btarunr	News	27	Jul 16, 2012 06:13 AM
Email clients not remembering passwords	7.62	General Software	12	Jul 13, 2011 04:49 AM
sli hack not working	Corduroy_Jr	General Hardware	0	Apr 10, 2011 07:07 AM
Sli Hack Tried Everything Not Working..... Black Screen	Fallen Angel -X	NVIDIA	7	Jan 29, 2011 04:30 PM