Page 1 of 1

HPI Identity Leak Checker

Posted: Fri Mar 01, 2019 3:59 pm
by u
I checked my e-mail address on HPI Identity Leak Checker at

https://sec.hpi.uni-potsdam.de/ilc/

They send me an email:

Attention: Your e-mail address xxx appears in at least one stolen and illegally published identity data base (a so-called identity leak).
The following sensitive information was freely found on the Internet in connection with your e-mail address:

net-chess.com Sep. 2017 83,203 Affected


So I checked a bit and found. net-chess.com was really hacked and many passords were stolen, the password are shown in plain text. This happened because net-chess is using the weak MD5 hash algorithmus. I send greg an private message here some weeks ago but never got an answer.

So what should we do now, changing the password!
But also it is important to leave this weak MD5 and use a better algorithm.

The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities.

Re: HPI Identity Leak Checker

Posted: Sun Mar 03, 2019 6:10 am
by abiodun
.........................................Image

Thanks U, for this Interesting Post !

I never use to worry about such things as this ... but I suppose our world changes hourly !

What To Do Now .....? ? ?

............................................Image

Hmmmmmmm...... !

Re: HPI Identity Leak Checker

Posted: Mon Mar 04, 2019 8:30 am
by gmiller
The forum uses MD5. While it has weaknesses none of them apply to password storage, and there are "better" algorithms for password storage but none of them are actually good. The problem with all password hashing algorithms is that the passwords people choose are so weak there is no practical method of storage that meets any definition of secure. Your best practical option is to use different passwords for things that actually matter. It is of relatively low probability, and low impact that someone would actually want to hack in to your net-chess account and make moves as you.

Re: HPI Identity Leak Checker

Posted: Thu Mar 07, 2019 1:57 am
by abiodun
...........................................Image

Mr. Greg ............

Many Thanks for Sharing Your Internet / Chess-Net Knowledge With Us All Here ! ! !

You've Put My Mind at Ease ! ! !

Hello There Mr. U .............. Did You Read This ? ? ?

Hopefully So !

Re: HPI Identity Leak Checker

Posted: Sun Mar 10, 2019 4:36 am
by u
You can find many password from this site in plain text in the internet.
I do not want to publish the link for this text file.

In the text file you will find for example this passwords, which belongs to net-chess users:

d4bLc58zeU
Idontknow1!
Eg4y8lap9Q

Are these passwords weak, and if yes why?
What kind of password should we use for net-chess to be save?

Re: HPI Identity Leak Checker

Posted: Sun Mar 10, 2019 8:34 am
by gmiller
Yes those are weak. An actual secure password comprised of all printable ASCII characters chosen purely at random would need to be 39 characters long to meet today's definition of secure (256 bits of entropy). That's pretty much impossible for humans to memorize. What most people do who are that concerned about it will use a password manager to generate really long passwords, and look them up to log in to each site. But, like I said above, it's of very low probability that someone would want to log in to net-chess as you and do anything.

Re: HPI Identity Leak Checker

Posted: Mon Jul 08, 2019 2:24 am
by energy
However...

Some lowlife scum praying on the innocent tried to bully me to send him $900 in bitcoins recently. Had my password (which was 8 characters long) and tried to use that to convince me he had hacked my machine. The sad truth is that a lot of non-technical people will probably believe this idiot.

Funny thing is, I used the "I have forgotten my password" link to reset my password (it is the fastest way) and the forum software generated a 13 characters (all upper case) password for me. Is that the best phpBB will do?

BTW, I am more curious about how an attacker can test the millions of passwords needed, without having a copy of your (hashed) password file? In other words, without having hacked your site? That the whole site might have been breached seems to be a bit more worrying than having a few account passwords compromised....

Re: HPI Identity Leak Checker

Posted: Mon Jul 08, 2019 2:50 am
by jumpnmustang
It doesn't take much to brute force an unsecure website, and you don't necessarily need to brute force a password on the unsecure site. The risk isn't necessarily your password. I will stay away from this subject for the most part. But unless you're a security expert you are at risk logging into this site. You don't need an HPI identity leak checker to know this. Just look at the browser where it says the link and see if it says secure or not.

Personally I do agree that if Greg wants this to continue in reality he should make the site itself more secure. I am training to be a security expert now. I am a beginner really, but one of the first things you learn is how to break unsecure websites and why someone would do it. This is an interesting post that probably shouldn't be ignored.

Re: HPI Identity Leak Checker

Posted: Mon Jul 08, 2019 2:52 am
by jumpnmustang
And BTW, never believe an email.. If someone has your password report it to an authority, and change your password. Potentially enlist in sites that do two factor authentication and make sure they have secure protocols.