A hacker got my abyss.conf. Could he open the password?

[Toc_vremenno]

A hacker got my abyss.conf. Could he open the password?
I mean, could he open the password having these lines:

Version 1.1
login adm*** .......
password 85b6e0290xx ..........

[Anonymoose]

How do you know he got the .conf file ?

The password is MD5 encrypted. It is possible to break MD5 encryption with enough time and CPU power, but he won't be getting there in a hurry unless you chose an insecure password. However, even if you chose a stupid password, the MD5 hash is of the username + password joined, so he won't be breaking it with a dictionairy attack in a hurry.

Just change your admin password and everything will be fine. You don't reuse passwords do you ? ;)

Also, as long as you have not forwarded access to your console port through a router, there is no way for him to access the admin console other than be sat at your machine.

[TRUSTAbyss]

You should download the new Beta 1 and use that for
your server , it has a feature to only allow requests from
your localhost address and that way no hacker has access.

[Anonymoose]

He was asking whether anyone could read the password. If he uses the same password for everything on his PC he has a lot more to worry about than upgrading to the latest beta...

[Lithorien]

Nothing to worry about unless this guy can decrypt MD5 hashes... before he dies of old age. :P

[aprelium]

Toc_vremenno,

The passwords in the configuration file are one-way encrypted which means that they cannot be decrypted without using huge computing resources to try billions of possibilities to guess your password (assuming your password is not a common word or something easy that the hacker could guess.)
_________________
Support Team
Aprelium - http://www.aprelium.com

[Toc_vremenno]

Ok. I understood.
And do You know wich progz can decrypt MD5 hashes?
Are there with open source?
What about speed? I mean, how much time does admonistrator

have to change the password if it was very simple, eg
login: admin
pass: 123456
or a dictionary based.

[iNaNimAtE]

First, the password cannot be decrypted. It needs to be broken with a brute forcer.

If you just go and change the password to something a little more complicated, you don't have to be worrying about this.

Make the user something like "admin[]website," and use http://www.winguides.com/security/password.php to make a password.
_________________
Bienvenidos!

[erskie]

Out of interest, to repeat a previous question, how do you know a/the hacker got the file?
_________________
'Smile', he said, 'things could get worse...'

So I smiled, and things got worse...

[avisonjohn]

he proberly got sum 1 elses and wants to know how to get the password....
And yeah, i have made an MD5 brute force decrypter with PHP. will seel the source. Nay bids? emal me at avisonjohn@yahoo.co.uk

[Anonymoose]

Hahahahahshashha.

Sell the source ?

http://www.securiteam.com/tools/5XP0X0040G.html

Regardless, PHP is not a language suited to high speed mathematical calculations...

John The Ripper is industry standard.

http://www.openwall.com/john/

[senshi]

Simple and easy rule to making a secure password.

Dont use a name, a Date, a pets name, a favourite colour, password less than 6 characters, something you like doing, your car registration, anything that can be found out about you from someone else.

Any Human Readable format is insecure as is any public information about you or what you disclose about yourself to others can be used to help guess passwords, in short, the password is only as secure as you make yourself, if you go around boasting or bragging, people will use what they cdan against you, so start being secure by securing the biggest security hole, your mouth.

for example,
alan10121977 -- wouldnt take very long to crack, a matter of minutes I would say.

Alan_10121977? -- Would present some element of difficulty as it uses non standard characters, most crackers will be looking at Aa-Zz & 0-9, the addition of a non-standard character is what makes any password secure.

Most secure would be something that is a mix of characters that you can remember but doesnt make a word, has mixed capitals and lower case, numbers and atleast one non-standard character.

a10L12a19n77? -- a bit awkward but does prove more difficult to crack because the name is broken up by numbers and theirs a case change and one nonstandard character.

The crack engines that pick out words easily enough cang find matches to what appears to ba a random set of characters as it has some case changes and the name alan is broken up by numbers.

The best passwords are ones that have no connection to you, your surroundings and the things you like doing or relatives, birthdays or anything that has a 'Human' readable form, it all depends on how easily you want your passwords stolen, I use one password for many secured items because I know that my password is really secure, it has 12 digits that are mixed numbers, letters with case changes and nonstandard characters.

[senshi]

If you put / as the virtual path and enter the physical path to the folder you want, any request arriving as a simple http://*yourIPaddress/ will automatically get directed to that folder, so you can add the same physical path to /mp3.

This would have the same effect of securing the root of your site as it now becomes invisible.

Thats if you want to only allow users you add to the server security, you are better to host a page or to with links to file that are locked down with a password and user login to gain access to the download, if all your worried about is hot linking, you can use simple methods to prevent the user from doing such things by simple uses of javascript or a simple cgi program or PHP to run as CGI.

[kuratkull]

A few days ago, some chinese smart men found out an algorithm to break the MD5 hash in a matter of hours. Creepy...

www.md5crack.com

[senshi]