forum

Password can be read easily!!!! [Denied]

posted
Total Posts
13
Topic Starter
Otaku445
If you open the osu! which contains osu! and if you open USERNAME.cfg with the Editor you can read the hashed password.
If you have a tool to make the hashed text to a normal text you get the password.
The USERNAME.cfg file should be encrypted. :!:
Azure_Kite
I can see where you're coming from, but at the same time, anyone who would be able to get this file would have to already be at your computer.

If anyone went to all the trouble to unencrypt your osu! password, they really have no life.
ziin

Azure_Kyte wrote:

I can see where you're coming from, but at the same time, anyone who would be able to get this file would have to already be at your computer.

If anyone went to all the trouble to unencrypt your osu! password, they really have no life.
This is microsoft's stance on bypassing the password to the admin account with a boot CD.

If you're worried about people getting your password, play osu on a flash drive.
Corin
You know, if they just have the .cfg file they have your account... right?

All they have to do is change a few things like the name of the document and bam.

:/
Kitsunemimi

Corin wrote:

You know, if they just have the .cfg file they have your account... right?

All they have to do is change a few things like the name of the document and bam.

:/
This too. Since they have all the login info in that file, they can just log on with it.

However, we haven't had many situations reported where people's accounts have been hacked from stolen .cfg files, so it really isn't that big of a deal yet.
mm201
http://en.wikipedia.org/wiki/Trapdoor_function

The only improvement I could think of would be using unique salts for each different point of entry.
No matter what we do, if someone grabs ahold of your saved login, the can log in as you.
Shiirn
This is one of those issues in which the entire point of it being saved is that anyone who gets that saved information will be able to use it..

Hardly smart.
hahanottelling
>If you have a tool to make the hashed text to a normal text you get the password.

there is no such tool. Hashing is one-way.
Topic Starter
Otaku445

hahanottelling wrote:

>If you have a tool to make the hashed text to a normal text you get the password.

there is no such tool. Hashing is one-way.
Of course theres such a tool: HashMyFiles
It can hash texts and it can make a hashed text to a normal text! :!:
Topic Starter
Otaku445

ziin wrote:

Azure_Kyte wrote:

I can see where you're coming from, but at the same time, anyone who would be able to get this file would have to already be at your computer.

If anyone went to all the trouble to unencrypt your osu! password, they really have no life.
This is microsoft's stance on bypassing the password to the admin account with a boot CD.

If you're worried about people getting your password, play osu on a flash drive.
I do but then i have to synchronize the osu-highscores on my computer with the highscores on my flashdrive :!:
thefran_old
If you have a tool to make the hashed text
A hash is not an archive, my friend! It is not reversible due to information loss!

A hash can not be reversed into the original information easily. Au contraire: if you need to find out the pw if you know the hash, you need rainbow tables. Do you have any idea how huge those are?

Who would generate 170 gigs of rainbow tables to crack an account for a game for weaboos? Can't you just beat the said weaboo with a rusty wrench until he gives you the password? Now that's brute force.
Yakety Saxer
As thefran said. Hashed text cannot be reversed without the use of Rainbow tables. There are certain sites that have HUGE rainbow tables and you can simply paste in the hashed code and it'll look it up. If its there, it'll show you it (sometimes for a fee -- really? You'd pay to crack some guys osu! account?)...

Generating rainbow tables can take several days or even weeks, depending on what parameters you set, for instance.

The generation of a rainbow table which has everything from 1-7 characters long, using lowercase letters and numbers, would take probably only 1% of the time it would take to generate a table with 1-9 characters + lowercase + UPPERCASE + numb3rs and $ymbo!s (symbols).

Put it short, if you're worried about someone hacking your computer and taking your hashed password (wouldn't they just install a keylogger??) and trying to rainbow-table reverse it, make your password longer and have numbers, upperCASE and symbols in it!

Just a fun fact :

Rainbow table with 1-14 characters, lowercase, UPPERCASE + numbers and symbols would take about 471 days to generate and weigh about 11.7 TB
Aerexos
For those who are saying hashing is irreversible, it is not. Brute force, rainbow tables, wordlist attacks are very real and not hard to crack depending on the method. If the encryption algorithm is known, the text can decrypted.

Majority of people have same or similar passwords for various accounts. If someone has access to your pc, they can steal more serious things like autofill data from chrome.

The password can be recovered, regardless of encryption algoritm, salt and other variables. It's just a matter of difficulty.
I think it'd be great if they added a salt.
Please sign in to reply.

New reply