The Mods Are Asleep

Rule #1: Don't stick your dick in the crazy.

seemslegit

The main issue is whether or not the actual non-hashed passwords can be retrieved. My accounts are in the list and I own pretty small irrelevant boards so it seems like it is all the mod accounts. Also the logs will inevitably cause drama which is going to be fucking annoying since we just got over the recent shillfest.

I'm pretty sure it is real, the mod list at least.

>endchan.xyz/.media/1c1fffe4c3e53b7d9c9f45d4133b514d-textplain.txt
Why the fuck is Holla Forums storing all of this? Is it storing it forever and is it doing it for every single Owner and Volunteer on this website?

also, just checked the PMs text file and it has the one PM I've ever made on Holla Forums years ago so that seems real as well. This is probably going to be an interesting few days

Just peeked the source code of vichan, pic related (install.php).

Good news everybody! The passwords are salted and are hashed with SHA256.

In English: Cracking these passwords would take millions of years (with lowly mortal computer technology, NSA/ayy lmaos don't count).

Not true at all.

A GPU can bruteforce 1,000,000/sec SHA256 passwords easily.

Basically, if your password is in a dictionary - you're fucked.

Posted on a chan hosted in nevada. kek.

...

SHA256 can be bruted easily. The salt isn't going to save anyone if their password is in a dictionary.

The salt just means that a Rainbow Table cannot be applied.

Well, this goes without saying in general, anyways. If you choose shit passwords you're a faggot.

Just change your passwords.

If your password is not faggot-tier, it will take millions of years to brute force, even without a salt.

You should be using randomly generate passwords and copy pasting them from a .txt file that you encrypt.

Yep.

fugg DD:

So what are the implications of this?

a week of shitty internet and stolen passwords/information most likely. For the average user.

for us, the politically motivated, /baph/ may do some very funny things instead. So il be waiting with glee to hear about their exploits. They can probably even tell us the "illegal" (lol fuck the deep state, those guys are illegal) things at the end of it

oh wait wrong thread

was meant to imply the release of the NSA tools, got confused in the thread, lol mods pls dont ban for posting in this tred lol.

The most important thing from this mod leak is the admission of these creepy pedo child porn faggot mods. I wouldn't want my IP tied up to this site at all.

GAS THESE SICK FUCKS

user I'm rusty on password cracking, and your post made me nervous so I decided to do the math. Not posting this to be a dick, just sharing for interested others.

We are assuming an 8 byte password of random characters from the set {a-z, A-Z, 0-9}, hashed with SHA-256 with no salt:

This is how many years it would take to brute force it (@ 1 mil a second, divided by two because on average you only have to try half of the combinations to find the password):

Answer (pic related from wolframalpha.com):

Not looking too good if you used an 8 character password, but at least you have almost 4 years to change your passwords around the web!

Other times:

10 characters: 13,000+ years
12 characters: 50 million+ years
etc. (vichan max password length appears to be 40 chars)

Moral of the story: Change your fucking passwords anyways and use longer passwords going forward, composed of random characters (no words that can be found in a dictionary – if you use a word that can be found in a dictionary, it basically only counts as one character in the password, e.g. banana17 is a 3 character password and you're FUCKED).

Please check my work and correct for us as necessary, it's been a while.

What the fuck.

imkamfy and therealmoonman are gone, but there's some new names on the mod log. sys.8ch.net/log.php?board=pol

Could resurrectedplayer and HotpocketX be imkamfy and therealmoonman with new names? Use of the word "resurrected" sure seems to imply that. I wish the god damn mods would just talk to us. More transparency.

Here's a namechange.
>1450,Heil,$6$rounds=25000$KKMYthFo4cwFUOsa$OWP.DmktmM9N9hteexQQHSmYPoi5wZB16TRHqKPNRT6XMyzv8qS5Ru7VI9yTMErLTEvD5ahjYYCCz3R0xMmZ81,1,20,pol,[email protected]/* */co

>[email protected]/* */co

I remember there used to be a mod named faggetttss. Apparently he changed the handle but kept the email.

Searching for ,pol, gives you 4 mods. imkamfy, therealmoonman, Heil and faggetttss. Heil and faggettsss are the same person so Holla Forums only had 3 mods.

That's just retarded.

Bumpppp

Thats a cover up goy

Here's a few /newsplus/ mods talking about imkampfy in the PMs. Unix time 1490573026 = Mon, 27 Mar 2017 00:03:46 GMT

>So for the last ad, our total clicks were 26. For this ad: good tbh.I just put the ad back up too kek.i checked but all i can see are those /newsplus/ banners right now.Just checked: :^)

TIME FOR A PROPER DISCUSSION ON PASSWORD COMPLEXITY

I'd like to put some real numbers to these figures across the board because I'm feeling particularly autistic right now. tried admirably but he used the very wrong assumption of 1Mhash/s for a decent GPU; that's absurdly conservative. Bitcoin miners are rated in Mhash/s but bitcoin uses double SHA-256 (i.e. they SHA-256 the input, then SHA-256 it again). We're only talking about doing that once, so the throughput for our purposes would be double the bitcoin miner Mhash/s rating.

Single GTX 1080 = 1,044.81 MHash/s = 2,089,000,000 SHA-256 hashes per second (per gpuboss.com/graphics-card/GeForce-GTX-1080), power usage at full tilt is about 300W
Fastest bitcoin ASIC miner I could easily find (AntMiner S9, not yet released apparently) = 14,000,000 MHash/s = 28,000,000,000,000 SHA-256 hashes per second (per en.bitcoin.it/wiki/Mining_hardware_comparison), power usage at full tilt is apparently 1,375W

>8 character password, only lowercase

>8 characters with lower and uppercase, numbers, and 32 common QWERTY symbols

>20 characters only lowercase

Mentioning dictionary attacks is a non-sequitur for a couple reasons. If your password is a single dictionary word you're fucking retarded. You only have to check the entire dictionary once in this case which is trivial even for gigantic dictionaries. However, there is nothing wrong with using multiple dictionary words in a passphrase, as long as you use enough of them, and as long as the attacker's dictionary has to be big in order for him to be certain it contains your words.

In other words, don't use simple words that would be found in a dictionary with only 5,000 entries if you can help it. If you do, use a lot of words to form your passphrase. Also, as long as the hashed passwords are individually salted with unique salts, the attacker can't pre-hash common phrases together and directly check against the hashed passwords, because the per-password salt prevents the pre-generation of that list. That's the basic reason why rainbow tables are defeated by per-password salts.

Why is using multiple dictionary words okay, and even advisable? In the same way a lowercase-only password has 26 possibilities for each character position, a dictionary-based password has dict size possibilities for each position occupied by a dictionary word. is incorrect in assuming each dictionary word counts only as a single character because he neglected the distinction between the complexity of the dictionary "character" and that of a numeric character.

>1M dict, just so attacker can guarantee certainty

>even if the dictionary only has 5,000 words…

>with 5k words in the dict and a passphrase of 10 words

Also, in theory you would be safe to use phrases from books for this if they're long enough. This is because the attacker can't trivially pre-compute hashes for phrases of the right length from known books. First, because the attacker probably doesn't know the length of the phrase in words to begin with. Second, because of the sliding window notion of doing this - you don't know where the phrase starts or ends so you have to pre-compute all possible 10 word runs in the entire book, for each book. Third, because pre-password salts negate the attacker's ability to pre-compute anything useful.

(continued from)
How about the cost of power for those various cases? This tells us the total power cost to brute force passwords of various lengths and attributes, regardless of parallelism (i.e. if you use two GPUs instead of one, the power consumption doubles but the total time is cut in half, so total power demand is the same). This does also ignore one-time costs to enable that parallelism, i.e. the cost of the hardware unit(s) themselves.

>8 characters, lowercase only

>8 characters, all upper/lower/numbers/symbols

>20 characters, lowercase only

>1M dict size, always 5 dict words, known separated by spaces

>5k dict size, 10 words long, known separated by spaces

Hopefully that puts into perspective the fact that password length rather than diversity of characters has much more security, even if you use multiple dictionary words as long as they are uncommon enough to not be in a tiny dictionary, or you use enough common dictionary words. Finally, if the password hashing mechanism uses multiple rounds of the hash instead of just one, you can multiply every listed figure so far by the number of rounds. If it's 25,000 rounds, multiply everything by 25,000. A "round" for the unfamiliar is where you hash the last hash again, so it's like hash-of-the-hash-of-the… for however many times, which makes the complexity of checking each answer that much harder.

this is getting crazy just pm-ed heil." 1421965273 0
1409 11865 11866 also still deleting threads. 1421965924 0
1411 11866 11865 ">also still deleting threads.
Jesus, there's no end to it.
Is it kampfy again?" 1421984334 0
1412 11865 11866 ">>also still deleting threads.
yeah.
Lets hope heil deal with it this time" 1421984844 0

Thanks, user.

See here, Jews. This is why we will win: Weaponized Autism (WA). I'd estimate these posts are way over 9000 on the WA scale. Fear us.

This.

Thanks for correcting my shit and educating us.

Watch an autist see these posts go full SSJ and max their WA – they'll probably post some source code proving their point, too.

You're right, that was a huge mistake. I forgot that each added word in the dictionary increments the base by one.

The smug lolis started appearing all at once when 2d child porn was no longer banned here. Figures it was imkamphy the whole time.

no shit.

Heres a fun one from the dump
The only thing I have a problem with is the length of the bans. I admit I did do a 7 day ban on a HE spam that looked pretty much like a bot. I also feel we should condense the sing threads into a single stickie and maybe even stickie a Holla Forums mod feedback thread. Couldn't hurt." 1411578163 0
214 1591 1591 "A landmark study published last Thursday in the Australian Journal of Business and Economics, proves once and for all, that the /aus/ board mod does it for free. The results of the six month long study, while having only been released a few days ago, have already gained widespread acceptance among the Holla Forums community. According to researchers, the study went into great depths and utilized a wide variety of research methods. ""We did everything from genetic analysis, to behavioral analysis, to even interviewing the mod's family and friends. All of our collected data points to the same conclusion. That mod does it for no monetary compensation."" said Professor BigBlac Cockenstein. ""In one particular experiment, we sneaked into the mod's home and replaced the hotdogs in his fridge with shitposts. Upon returning home, the mod proceeded to clean up the shitposts. And he didn't ask for any remuneration for his time.""

Even though the study has been proclaimed by the economics community to be one of the greatest papers of the 21st century, not all members of the public have a positive opinion of it. One man which we interviewed yesterday, said the following: ""Why are these cunts wasting money to study something like this? Everyone already knew the answer. You might as well have a study to prove that the sky is blue and that the grass is green."" Others were much more happy to see the study completed. ""I'm an economics major and have been following the study for the last 2 months, waiting for the results to be published. I am really happy to see the research back up my own personal observations regarding the mod.""

However, no matter what one's opinion of the study may be, one thing is for certain.

He does it for free. In the words of Professor BigBlac Cockenstein: ""It is scientific fact.""" 1411585330 0
217 1450 2053 Hey can you tell me the reason why you banned that guy on Holla Forums? Thanks. 1411588953 0
3000 17980 15643 "
Sure, set it up and I'll join" 1432568343 0
3001 17126 15757 "
Thank you I am sorry about asking for help." 1432568373 0
3002 15643 17980 "
I'll do it later…
So we top25 now! Wat do!?" 1432570076 0
219 1450 2053 ">>Hey can you tell me the reason why you banned that guy on Holla Forums? Thanks.

I appreciate your help. Didn't know he was shitposting in other boards, thanks again." 1411591246 0
220 2053 3600 Yo, why you been dishin' out Holla Forums bans? Thought globals weren't supposed to mess with other boards. 1411601129 0
221 1521 1 "Hello,

Please move /mecha/ to /m/. /m/ Is currently extremely dead with nonsense on it.

Thank you." 1411608602 0
222 1 4957 "Admin here.

We're moving away from CloudFlare tomorrow.

I really didn't want to delete /pedo/ just so you know, but my hands were tied. There was nothing illegal about that board and I'm seriously pissed off I had to remove it.

I will try to move quickly so that if we get another report (from a non-governmental agency) we can ignore it.

Putting that aside, a single character is simply less bytes than a string of characters, so more of them can be rammed through the GPU.

So a government agency told them to delete /pedo/? I'm okay with that. Pedos deserve the rope.

They were mad it wasn't their honeypoy.

Gonna have to disagree with you there. It's almost meaningless once you start using rainbow tables (we are assuming no salt, remember?). Space/time trade off, as you said:

The only thing it does is increment the base.

Feel free to prove me wrong with math if you disagree.

This makes no sense to me at all:

Once again, willing to be educated. Your words simply didn't convince me as presented.

Woops, I didn't mean this sentence makes zero sense at all:

I agree password length is the most important thing. Actually I'm a retard (just woke up) and that sentence is fine.

What I am disagreeing with is this:

What I meant by this is that it increments the base by one, instead of the by the length of the word in the dictionary, in characters.

e.g. banana: increments the base by one, instead of by six (the length of the word "banana").

So perhaps it's that you didn't understand what I meant by:

What I meant is that it increments the base by one if it's in the dictionary.

Not sure what you mean by:

You don't need to hash stuff in the dictionary you're using if you're using rainbow tables, which you should be assuming if there is no salt. Otherwise go ahead and add the math to your equations for pre-computing the table.

How do you like that (((sexy))) reddit spacing? I'm shambling off to get some coffee. FUCK OFF REEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE

Increments the base by one and
does not increment the exponent by the length of the word
Off to KMS now.

You gave the example of "banana17" as a dict word plus two numbers, and said it's like a 3 character password since dictionary words only count as one character. This has an implicit implication that the password is like this: and that somehow having the dictionary word there was no different than or . That misconception, whether you meant it or not, is what I was attacking so that any other anons or lurkers are not confused.

The proper complexity for your "banana17" scenario would be: (sizeOfDict) * (10) * (10), or in another way of looking at it, sizeOfDict^1 + 10^2. That's why if you have 10 dictionary words, you're doing sizeOfDict^10, and if sizeOfDict is 5000, that is a fucking gigantic number. Keep in mind you'd also have to have prior knowledge of the format of the password to accelerate that attack, which is not common when attacking a database dump full of passwords.

This is also why use of a dictionary word does not increment the base by 1 nor the exponent by 1 as you said here (>>9678610) because the dictionary size has its own base, and the exponent is the number of dictionary words present. Whatever other components of the passphrase might exist would have their own bases and exponents. You have to take them all into account, and all of that implies you have foreknowledge of the plaintext format of the password you're trying to crack, and that's often a guess at best.

The other trick of using multiple dictionary words is that the attacker's desire for certainty will drive up the attack complexity, because the attacker would want to use a larger dictionary to ensure success. As I mentioned before, if you use only 5 words and all of them can be found in a 5,000 word size dictionary, you're gonna have a bad time. The catch is whether the attacker knows you used only words out of such a small dictionary - they might want to use a dictionary that is 10 or 100 times larger to ensure certainty, but that significantly increases computational complexity. The password chooser (i.e. the user) has a greater chance of mitigating the potential weak point here by either using words of sufficient rarity that they are unlikely to be found in small common dictionaries, or by simply using enough words to blow up the exponential term no matter the dictionary size. The utility of understanding the complexity is that remembering a phrase of 10 words is not that hard, and with an attack dictionary of 5000 words, 5000^10 ~= 10^37, meaning you'd have to memorize a 37 digit number to achieve similar password complexity.

was making a separate distinction, which is that enumerating dictionary words and hashing them is actually even harder than just iterating through character classes and hashing the result, because you have to constantly use GPU bandwidth to transmit the plaintext dictionary word bytes to the GPU to be hashed, and you have to do that for every distinct dictionary word. In other words, the GPU can easily enumerate [a-zA-Z0-9] but it cannot easily enumerate a list of words, because the words would have to be fed in one by one. The best you could conceivably do is to pack word bytes in to large textures, and have a second set of textures that encodes the byte length of each distinct word so you know how many texels to read for each hash attempt. The memory accesses would still slow down the process significantly because you're not working strictly with GPU registers anymore, you're having to access its main memory. This means that GPU or ASIC based dictionary attacks would likely be more memory bandwidth limited rather than computational speed limited, and that means the effective hash rate would be much much slower. For what it's worth, even the fastest bitcoin ASIC miners are not geared for this at all, because they have minimal onboard memory because they don't need it for their application. A GTX1080 would be better suited because of the large onboard memory, but again you're limited by computational power across

Also, rainbow tables and pre-hashed dictionaries are not going to work as long as the hashed passwords are individually salted with unique salts. If you are trying to crack passwords hashed with a single global salt, you can start to precompute things and achieve a speedup for breaking multiple passwords from the same database. If there's no salt at all, then pre-built rainbow tables can be used, but again, the length of the passphrase is the limiting factor there. Most rainbow tables are not more than 10 characters long, so they would only apply to a 96^10 complexity situation at most. You could probably break some passwords with that, but you'd never bruteforce any passphrase even if it's trivial with a dictionary attack.