When you have direct access to the encoded passwords like this you no longer have to try passwords on individual accounts and on the time-schedule the security system limits you to. Imagine trying to guess the combination to a highschool locker - pretty slow going. Now imagine every guess you took was instantly tried on every locker in the school.
Your odds of getting into any specific targeted locker (account) is kinda low, but sinces there's 10s of thousands of lockers in this virtual school, you're going to get thousands of accounts.
Then you use these username/password combinations at banks, paypal, bitcoin exchanges, amazon, etc. Again, 50-80% of them won't work, but we're on the order of 10s of thousands, and this can all be automated.
So you end up with thousands of compromised accounts on third parties, and you sell these accounts (for like $20 each) to 4th parties who have money laundering networks.
Now you have $100k and none of it has come directly from any of your victims, making it hard to trace to you.
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).
I have several dictionaries that I use. Every english word. All common english/french/german/spanish words, and my favorite: 200,000 passwords gleamed from other hacks, sorted by frequency.
But you're right, an individual user can avoid all this pretty easily. However, in large groups of people you will always find lazy and stupid ones. I'm not trying to guess person X's name. I'm just guessing that SOMEONE in the group is named John. Or Sarah. Or Kwame.
Because some people (read: idiots) still think it is an acceptable practice to "Forgot Passwords" and send the password to the email, ya know... Instead of just saying "reset password"
Still I find it VERY strange that GAB stores passwords etc. as plain text.
Who does that nowadays, when everything needs to be encrypted?
The headline literally says encrypted passwords
Information elsewhere suggest not encrypted:
https://redpilled.ca/breaking-demonic-tranny-hacks-into-gab-servers-and-steals-all-users-personal-data-threatening-to-release-the-70gb-file-including-every-single-users-unencrypted-password-private-posts-private-gr/
Would be good with a definite answer by Torba to clear up the confusion.
The passwords are definitely hashed.
UNTIL THE "HACKER" produces the goods this is fake fuckin' news people.
We get people fishing for ransom money reporting false breeches all the time at work.
https://news.gab.com/2021/02/26/alleged-data-breach-26-february-2021/
Really a sql injection hack? Do they have imbecilic software developers????
Thanks, fren! 🙂👍
When you have direct access to the encoded passwords like this you no longer have to try passwords on individual accounts and on the time-schedule the security system limits you to. Imagine trying to guess the combination to a highschool locker - pretty slow going. Now imagine every guess you took was instantly tried on every locker in the school.
Your odds of getting into any specific targeted locker (account) is kinda low, but sinces there's 10s of thousands of lockers in this virtual school, you're going to get thousands of accounts.
Then you use these username/password combinations at banks, paypal, bitcoin exchanges, amazon, etc. Again, 50-80% of them won't work, but we're on the order of 10s of thousands, and this can all be automated.
So you end up with thousands of compromised accounts on third parties, and you sell these accounts (for like $20 each) to 4th parties who have money laundering networks.
Now you have $100k and none of it has come directly from any of your victims, making it hard to trace to you.
Gab Social, being based on Mastodon, stores bcrypt hashes of the passwords.
An Nvidia 2080Ti GPU with a bcrypt cost factor of around 10 can only crack 250 hashes/second (versus 54 billion for MD5). As long as you're using a random passwords even a 6 character password with only a corpus of upper and lowercase letters plus numbers would still take around 7 years to crack.
Having the hashes does make dictionary attacks much more plausible, however; these could be performed in fairly short order.
This is a good reason to use a password manager with strong passwords (16 characters minimum) that are fully random.
250 hashes/second, 200k words in my 'leaked passwords' dictionary: (200k/250/60) = 30 minutes to crack anyone stupid enough to use a common password. And out of 100,000s of users that's gotta be 10% or so.
I'm not trying to crack any specific password (theoretically, in this example). I'm just trying to crack a large number of random passwords.
That's the point though. bcrypt largely limits the effectiveness of password cracking to dictionary attacks.
Even an 8 character password with a corpus of most special characters will still take you around 380,000 years to crack at 250 hashes a second ((86^8) / 250 * 86400 * 365).
I have several dictionaries that I use. Every english word. All common english/french/german/spanish words, and my favorite: 200,000 passwords gleamed from other hacks, sorted by frequency.
But you're right, an individual user can avoid all this pretty easily. However, in large groups of people you will always find lazy and stupid ones. I'm not trying to guess person X's name. I'm just guessing that SOMEONE in the group is named John. Or Sarah. Or Kwame.
Because some people (read: idiots) still think it is an acceptable practice to "Forgot Passwords" and send the password to the email, ya know... Instead of just saying "reset password"
No it doesn't.
Gab Social is based on Mastodon which stores passwords as a bcrypt hash.
Stop spreading this. It's bullshit.
Facebook and Twitter have a history of storing passwords as plain text.