NVIDIA Forums Hack: Passwords Not Salted

[Oberon]

Why did they publish the passwords???

Do they really need justification after stealing them in the first place? Looks like they kind of threw that whole "integrity" thing out the window already.

 

[newtekie1]

Do they really need justification after stealing them in the first place? Looks like they kind of threw that whole "integrity" thing out the window already.

It might sound backwards, but some hackers do have integrity. Some hack into somewhere just to do it, then alert whoever they hacked to inform them how they did it so their security can be strengthened.

Though the people that hacked nVidia were obviously just doing it to be dicks.

 

[GSquadron]

First of all, if i hack a password, i never tell anyone i stole (hacked) the password. I never use it to block their account
No matter what would be my 'nickname'
This all was made and payed very well to the programmers who cracked the forum for just that script in the pastebin. Read what they wrote very well. (i am referring to all)
That is the true reason why they hacked the forum.
Bear in mind that no matter how much i 'love god' i am never going to pay a hacker to hack nvidia forums. So the real reason, is to make you believe that these GREAT HACKERS, achieved that greatness on what they wrote on pastebin. It is just like phishing mind. The hack was payed very well. There is no real reason why the Apollo would hack the forum.
Why exactly Nvidia? What is the real matter? If you find this, you will surely find the next hacking, not only on internet, but in real life!

Actually reading it again, why apollo? Really he says religion and political and other stuff? Where is the real name he should have used?
(You know what i am talking about)

 

[tacosRcool]

good thing I don't have an account there!

 

[TheMailMan78]

It might sound backwards, but some hackers do have integrity. Some hack into somewhere just to do it, then alert whoever they hacked to inform them how they did it so their security can be strengthened.

Though the people that hacked nVidia were obviously just doing it to be dicks.

I agree. But with that being said such hackers don't brag. The ones that brag are dicks as you said.

 

[KissSh0t]

All I can say to "Team Apollo" is....

0101100101101111011101010010000001110000011000010111010001101000011001010111010001101001011000110010000001101000011000010110001101101011011001010111001000100000011100110110001101110101011011010010110000100000011001110110111100100000011100000110110001100001011110010010000001110111011010010111010001101000001000000111001101101111011011010110010101110100011010000110100101101110011001110010000001100101011011000111001101100101001000000110110001101001011010110110010100100000010100110110111101101110011110010010000001101111011100100010000001010101011000100110100101110011011011110110011001110100001011100010111000101110

 

[Disruptor4]

good thing I don't have an account there!

I don't remember if I do or not. Is there a way to find out?

 

[theJesus]

Pfft. I use 'passw0rd' and never have been hacked. [0_o]/

Apparently you don't use that for here.

Is anyone elses Techpowerup password techpowerup.....

Apparently not you.

I don't remember if I do or not. Is there a way to find out?

One would hope that they'd send an email to anybody with an account warning them to change their passwords . . .

 

[Disruptor4]

All I can say to "Team Apollo" is....

0101100101101111011101010010000001110000011000010111010001101000011001010111010001101001011000110010000001101000011000010110001101101011011001010111001000100000011100110110001101110101011011010010110000100000011001110110111100100000011100000110110001100001011110010010000001110111011010010111010001101000001000000111001101101111011011010110010101110100011010000110100101101110011001110010000001100101011011000111001101100101001000000110110001101001011010110110010100100000010100110110111101101110011110010010000001101111011100100010000001010101011000100110100101110011011011110110011001110100001011100010111000101110

What's wrong with Ubi?

One would hope that they'd send an email to anybody with an account warning them to change their passwords . . .

One would hope so... and I think they are/have. Just haven't received one yet so yeah.

 

[KissSh0t]

What's wrong with Ubi?

Not allowing me to play the game I bought for my laptop where I don't have constant internet access.. lol.

Interesting Sony wasn't mentioned xD

 

[TRWOV]

I use asdfgh and variations on many sites that want me to register for some lame reason and I don't want to give them any hints of my real passwords

I use akjwss (an old Geocities isued password) for the same reason. I must have 30-40 forum accounts with that password (pro tip: my user name for those isn't TRWOV either)

 

[Mussels]

actually, techpowerup has some cool password theft protection technology.


if you type your password, it appears in plain text to you, and asterisks to everyone else:


Mussels
***********

 

[TRWOV]

wow it's true

TRWOV
******************

 

[theJesus]

actually, techpowerup has some cool password theft protection technology.


if you type your password, it appears in plain text to you, and asterisks to everyone else:


Mussels
***********

lemme try that:

*********

 

[TRWOV]

I feel safer already

 

[remixedcat]

the password is:
bellybutton

 

[jigar2speed]

the password is:
bellybutton

Thanks i have you now

 

[Ikaruga]

Guys, I was talking to someone at Nvidia yesterday, and he told me that the software they use doesn't even has an option to store the passwords in plain md5, and they are all salted. I understand this is something Nvidia would not rush to admit, but do you think it's possible that the pastebin info is fake?

 

[GSquadron]

Really stupid. I was learning today that passwords with sha1 are extremely easy to implement, though they didn't waste money on their website.
And even want to earn millions!

 

[Mussels]

Guys, I was talking to someone at Nvidia yesterday, and he told me that the software they use doesn't even has an option to store the passwords in plain md5, and they are all salted. I understand this is something Nvidia would not rush to admit, but do you think it's possible that the pastebin info is fake?

entirely possible.

 

[Disparia]

The notice is still up: http://www.nvidia.com/content/forums/index.html

If faked, it would have taken less than 5 minutes for nVidia to discredit the hacking. So it's either real and they're investigating how it happened... or it's an nVidia plot to frame Apollo!

 

[TheMailMan78]

The notice is still up: http://www.nvidia.com/content/forums/index.html

If faked, it would have taken less than 5 minutes for nVidia to discredit the hacking. So it's either real and they're investigating how it happened... or it's an nVidia plot to frame Apollo!

Yes I'm sure its a vast conspiracy to frame Team Apollo. I can see it all now. Jen-Hsun dressed up like M. Bison from Street Fighter telling his minions to frame and stop Team Apollo and all their righteous endeavors to bring down evil corporations via the Nvidia forums. MASTER PLAN INDEED.

 

[Aquinus]

Really stupid. I was learning today that passwords with sha1 are extremely easy to implement, though they didn't waste money on their website.
And even want to earn millions!

They do use a hashing algorithm, but what good is the hash if you're not salting the password. It doesn't take a lot of brute force power for a short password like "foobarpass," you add a salt to make it something like, "supersaltfoobarpasssuperpepper," that is much harder to brute force.

You also don't need to implement SHA1, many languages already have functions or classes and methods that handle hashing.

 

[claylomax]

OMG! That is the combination to my luggage!

Priceless!

 

[Kreij]

They do use a hashing algorithm, but what good is the hash if you're not salting the password. It doesn't take a lot of brute force power for a short password like "foobarpass," you add a salt to make it something like, "supersaltfoobarpasssuperpepper," that is much harder to brute force.

That has got to be the worst example of what using a random salt does to a password that I've ever seen.

But you are right, Aquinus, salting makes it a lot harder to crack as well as using other things like multiple passes of encryption in combination with salts.

That being said, if you use a strong password and it's not salted, it still will have to be brute forced which is quite time consuming even with very powerful hardware.