Quote:
Originally Posted by Netaquel
Hi all
But still database can be stoled. That passwords are not in clear form (some hash, MD5, SHA, etc) makes just few days difficulty for thefts - bruteforce cracking or dictionary words... Piece of cake if you have hash of password.
|
Quote:
Originally Posted by extince
In theory u can do md5-collisionchecks .. sure i guess the passwords got a salt within the md5, but still, in theory its still possible to get the password back in plaintext  Many examples from sweden about that issue (sites gets hacked and databases started to spread, even with salt they succeed to get passwords from this )
But, i guess you as admin don't have any interest of it  |
Please read my post again.
The
EF software does not store the password in encrypted format. It stores an encrypted, salted MD5 hash of the password. So even if someone were able hack into the
EF database server (very unlikely, the
EF servers are very secure) and then crack the salted MD5 encryption (which has never been accomplished by anyone in the world, to my knowledge), they would still only have the hash of the password, not the password itself. As I said, member passwords are not stored anywhere in the forum database, encrypted or otherwise.
However, it should be noted that a malicious webmaster could theoretically capture passwords from form fields before they are submitted to the database, by using a slightly modified stock vBulletin or similiar forum software, so one still needs to be careful. My explantion above was more intended to set member's minds at ease that it is extrememly unlikely that someone could extract such information from
EF's database, even if they were successful in gaining unauthorized access to the servers somehow.
Thus, it is still good security practice to use a password different than that from the one you use for sensitive or financial websites, such as your Entropia Universe login.