VPN's tho. O wait globalists are throttling all VPN's in the US. which is MASSIVE power that no man should be able to do. Thats what convinced me this is an actual invasion of the US
If you use Gab and your password there is the same one you use elsewhere - CHANGE YOUR PASSWORD ELSEWHERE.
The passwords are encrypted, but are now capable of being bruteforced (try every possible combination of letters/numbers) now that they have the hashes.
There are also very sophisticated dictionary attacks out there that can break lots of hashed passwords.
As long as they properly salted and hashed their database, the chances of brute forced and dictionary attacks means that in about 40-80 years, they'll be able to break it.
If however, it's not properly salted and hashed. It'll take all of about 8 seconds to break.
Everyone should be using a password manager. A different password for every account, ideally multiple emails as well all with fake aliases.
I only use my real name on one account that's used for work and shopping considering my address and credit cards could be linked to that account. All other accounts could be anyones.
Best practice is to have a fake identity for each account. Its a stretch to try and speak or type differently, but false information is enough to mask your actual identity. And of course, never post anything that could be used to identify the real you.
When you have direct access to the encoded passwords like this you no longer have to try passwords on individual accounts and on the time-schedule the security system limits you to. Imagine trying to guess the combination to a highschool locker - pretty slow going. Now imagine every guess you took was instantly tried on every locker in the school.
Your odds of getting into any specific targeted locker (account) is kinda low, but sinces there's 10s of thousands of lockers in this virtual school, you're going to get thousands of accounts.
Then you use these username/password combinations at banks, paypal, bitcoin exchanges, amazon, etc. Again, 50-80% of them won't work, but we're on the order of 10s of thousands, and this can all be automated.
So you end up with thousands of compromised accounts on third parties, and you sell these accounts (for like $20 each) to 4th parties who have money laundering networks.
Now you have $100k and none of it has come directly from any of your victims, making it hard to trace to you.
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
I have several dictionaries that I use. Every english word. All common english/french/german/spanish words, and my favorite: 200,000 passwords gleamed from other hacks, sorted by frequency.
But you're right, an individual user can avoid all this pretty easily. However, in large groups of people you will always find lazy and stupid ones. I'm not trying to guess person X's name. I'm just guessing that SOMEONE in the group is named John. Or Sarah. Or Kwame.
Because some people (read: idiots) still think it is an acceptable practice to "Forgot Passwords" and send the password to the email, ya know... Instead of just saying "reset password"
Its a good practice not to post anything you want to keep private, regardless of the platform.
There is no privacy on the internet.
Once something goes to the internet, it belongs to the internet forever.
VPN's tho. O wait globalists are throttling all VPN's in the US. which is MASSIVE power that no man should be able to do. Thats what convinced me this is an actual invasion of the US
Public Service Announcement
If you use Gab and your password there is the same one you use elsewhere - CHANGE YOUR PASSWORD ELSEWHERE.
The passwords are encrypted, but are now capable of being bruteforced (try every possible combination of letters/numbers) now that they have the hashes.
There are also very sophisticated dictionary attacks out there that can break lots of hashed passwords.
As long as they properly salted and hashed their database, the chances of brute forced and dictionary attacks means that in about 40-80 years, they'll be able to break it.
If however, it's not properly salted and hashed. It'll take all of about 8 seconds to break.
Everyone should be using a password manager. A different password for every account, ideally multiple emails as well all with fake aliases.
I only use my real name on one account that's used for work and shopping considering my address and credit cards could be linked to that account. All other accounts could be anyones.
Best practice is to have a fake identity for each account. Its a stretch to try and speak or type differently, but false information is enough to mask your actual identity. And of course, never post anything that could be used to identify the real you.
VPNs have no effect against stored data.
Truth.
ProtonMail, when used correctly, can be perfectly safe.
Anybody sending even slightly sensitive material over any method, on any social media site, is a moron.
Good thing I didn't.
Still I find it VERY strange that GAB stores passwords etc. as plain text.
Who does that nowadays, when everything needs to be encrypted?
The headline literally says encrypted passwords
Information elsewhere suggest not encrypted:
https://redpilled.ca/breaking-demonic-tranny-hacks-into-gab-servers-and-steals-all-users-personal-data-threatening-to-release-the-70gb-file-including-every-single-users-unencrypted-password-private-posts-private-gr/
Would be good with a definite answer by Torba to clear up the confusion.
The passwords are definitely hashed.
UNTIL THE "HACKER" produces the goods this is fake fuckin' news people.
We get people fishing for ransom money reporting false breeches all the time at work.
https://news.gab.com/2021/02/26/alleged-data-breach-26-february-2021/
When you have direct access to the encoded passwords like this you no longer have to try passwords on individual accounts and on the time-schedule the security system limits you to. Imagine trying to guess the combination to a highschool locker - pretty slow going. Now imagine every guess you took was instantly tried on every locker in the school.
Your odds of getting into any specific targeted locker (account) is kinda low, but sinces there's 10s of thousands of lockers in this virtual school, you're going to get thousands of accounts.
Then you use these username/password combinations at banks, paypal, bitcoin exchanges, amazon, etc. Again, 50-80% of them won't work, but we're on the order of 10s of thousands, and this can all be automated.
So you end up with thousands of compromised accounts on third parties, and you sell these accounts (for like $20 each) to 4th parties who have money laundering networks.
Now you have $100k and none of it has come directly from any of your victims, making it hard to trace to you.
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
I have several dictionaries that I use. Every english word. All common english/french/german/spanish words, and my favorite: 200,000 passwords gleamed from other hacks, sorted by frequency.
But you're right, an individual user can avoid all this pretty easily. However, in large groups of people you will always find lazy and stupid ones. I'm not trying to guess person X's name. I'm just guessing that SOMEONE in the group is named John. Or Sarah. Or Kwame.
Because some people (read: idiots) still think it is an acceptable practice to "Forgot Passwords" and send the password to the email, ya know... Instead of just saying "reset password"
No it doesn't.
Gab Social is based on Mastodon which stores passwords as a bcrypt hash.
Stop spreading this. It's bullshit.
Facebook and Twitter have a history of storing passwords as plain text.