Was CrakRevenue Hacked? - Page 2 - GoFuckYourself.com

Penny24Seven · 02-11-2016, 07:05 AM

Fiddy people who were not hacked but some thought they were so a thread was made and the votes were cast and the winner is....... YOU

ladida · 02-11-2016, 02:37 PM

Well we found out they have a good hash decryption+ salt solution, which many companies would buy

Google Expert · 02-11-2016, 02:49 PM

Quote:

Originally Posted by Brian837

So were they hacked? Still not sure

CurrentlySober · 02-11-2016, 03:11 PM

what is salt?

ladida · 02-13-2016, 06:37 AM

Bumparooni for crack.

ladida · 02-15-2016, 04:35 AM

2 fiddy for hash decryption + salt solution!

going once.

#23 · 02-15-2016, 02:12 PM

nobody got hacked

ladida · 02-17-2016, 11:53 AM

We don't know that.

But we do know there is an epic groundbreaking solution for hash decryption + salt!!!

RandazzoXXX · 02-17-2016, 06:29 PM

So basically what we discovered is that if you're using crakrevenue your passwords are stored in plain text? Copy.

ladida · 02-19-2016, 06:48 AM

This went on the ignore list quick by crak

ladida · 02-20-2016, 06:49 AM

Another bump for perfect "hash decryption + salt" solution!

ladida · 02-23-2016, 04:20 PM

Busy for a bump, not busy for a great solution!

ladida · 02-26-2016, 09:21 AM

Hi + salt here

ladida · 02-29-2016, 05:54 AM

Another day, another great solution

rowan · 02-29-2016, 10:22 AM

Reminds me a little of my bank.

Password length must be 6 characters exactly, letters and numbers only.

A few years ago they changed from a standard web field to an "onscreen keyboard" that you have to click to enter the password. It only lets you enter upper case, but there were no problems with logging me in, even though my password (previously entered with the keyboard) was mixed case. If they were using hashes, there's no way that the uppercase version I entered would match the stored mixed case password. Wouldn't be unreasonable to guess they could be storing the pass in plain text format. Then again, maybe they have some o' dat special decryption algorithm + salt

CPA-Rush · 02-29-2016, 01:08 PM

Quote:

Originally Posted by Muad'Dib

dynastoned · 02-29-2016, 03:11 PM

i don't know why they have limitations on password length anyway

rowan · 02-29-2016, 03:19 PM

Quote:

Originally Posted by dynastoned

could they have written something up for when people login it counts the characters of the password before it's encrypted/decrypted or however the login process works and once login page has finished it carries the true or false of $pw > 16 character information to your account. then if it's true that you have a password that is greater than 16 chars it sends the OP's email to your email addy they have for u in the db? or would that somehow compromise your password?

im not sure how a login page works exactly so i don't know but it seems possible.

Yes, this is possible, because even if the system uses hashes internally, you submit the password to the login page in cleartext. So it would certainly be possible for a program to do a once-off check and notify if it sees the password is too long.

Question is WHY is there the limit in the first place for crak? Password prompts can be made fixed size on a page - they'll just scroll sideways - and there's no real performance difference between sending 5 characters or 500 characters. So why are passwords limited to this length? Even if crak are encrypting them (special decryption algorithm + salt) that means they can be decrypted. Why would a program ever need to access your cleartext password?

klinton · 02-29-2016, 03:34 PM

Quote:

Originally Posted by Brian837

So were they hacked? Still not sure

klinton · 02-29-2016, 03:35 PM

Quote:

Originally Posted by ladida

Another bump for perfect "hash decryption + salt" solution!

dynastoned · 02-29-2016, 05:43 PM

Quote:

Originally Posted by rowan

Yes, this is possible, because even if the system uses hashes internally, you submit the password to the login page in cleartext. So it would certainly be possible for a program to do a once-off check and notify if it sees the password is too long.

Question is WHY is there the limit in the first place for crak? Password prompts can be made fixed size on a page - they'll just scroll sideways - and there's no real performance difference between sending 5 characters or 500 characters. So why are passwords limited to this length? Even if crak are encrypting them (special decryption algorithm + salt) that means they can be decrypted. Why would a program ever need to access your cleartext password?

lol good thing u caught my post i tried to add to the post n somehow edited it out. doing too many things at once.

but yeah things that make you go hmm...

ladida · 02-29-2016, 07:47 PM

Quote:

Originally Posted by rowan

Reminds me a little of my bank.

Password length must be 6 characters exactly, letters and numbers only.

A few years ago they changed from a standard web field to an "onscreen keyboard" that you have to click to enter the password. It only lets you enter upper case, but there were no problems with logging me in, even though my password (previously entered with the keyboard) was mixed case. If they were using hashes, there's no way that the uppercase version I entered would match the stored mixed case password. Wouldn't be unreasonable to guess they could be storing the pass in plain text format. Then again, maybe they have some o' dat special decryption algorithm + salt

No. They just stored it without case. Banks have specific limitations, and yours were letters and numbers only, so they "threw" your pass through something of an regex that would check if the pass had any of those and either block it (if it had special chars) or lowercase/uppercase all letters that were initially input. Thats why not it doesnt matter what u enter.

02-11-2016, 07:05 AM	#51
Penny24Seven So Fucking What Industry Role: Join Date: Jun 2007 Location: USA Posts: 6,289	Fiddy people who were not hacked but some thought they were so a thread was made and the votes were cast and the winner is....... YOU __________________ Our site is coming soon. It will be one of the best ever! I know so. Brian and Penny

02-11-2016, 02:37 PM	#52
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	Well we found out they have a good hash decryption+ salt solution, which many companies would buy __________________ agentGFY at gmail.com

02-11-2016, 03:11 PM	#54
CurrentlySober Too lazy to wipe my ass Industry Role: Join Date: Aug 2002 Location: A Public Bathroom Posts: 38,183	what is salt? __________________ My AI Handywork... My Dream Gal... XXX 👁️ 👍️ 💩

02-13-2016, 06:37 AM	#55
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	Bumparooni for crack. __________________ agentGFY at gmail.com

02-15-2016, 04:35 AM	#56
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	2 fiddy for hash decryption + salt solution! going once. __________________ agentGFY at gmail.com

02-15-2016, 02:12 PM	#57
#23 So Fucking Banned Industry Role: Join Date: Jan 2016 Posts: 555	nobody got hacked

02-17-2016, 11:53 AM	#58
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	We don't know that. But we do know there is an epic groundbreaking solution for hash decryption + salt!!! __________________ agentGFY at gmail.com

02-17-2016, 06:29 PM	#59
RandazzoXXX Confirmed User Industry Role: Join Date: Mar 2008 Posts: 141	So basically what we discovered is that if you're using crakrevenue your passwords are stored in plain text? Copy.

02-19-2016, 06:48 AM	#60
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	This went on the ignore list quick by crak __________________ agentGFY at gmail.com

02-20-2016, 06:49 AM	#61
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	Another bump for perfect "hash decryption + salt" solution! __________________ agentGFY at gmail.com

02-23-2016, 04:20 PM	#62
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	Busy for a bump, not busy for a great solution! __________________ agentGFY at gmail.com

02-26-2016, 09:21 AM	#63
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	Hi + salt here __________________ agentGFY at gmail.com

02-29-2016, 05:54 AM	#64
ladida Confirmed User Join Date: Nov 2005 Posts: 2,149	Another day, another great solution __________________ agentGFY at gmail.com

02-29-2016, 10:22 AM	#65
rowan Too lazy to set a custom title Join Date: Mar 2002 Location: Australia Posts: 17,394	Reminds me a little of my bank. Password length must be 6 characters exactly, letters and numbers only. A few years ago they changed from a standard web field to an "onscreen keyboard" that you have to click to enter the password. It only lets you enter upper case, but there were no problems with logging me in, even though my password (previously entered with the keyboard) was mixed case. If they were using hashes, there's no way that the uppercase version I entered would match the stored mixed case password. Wouldn't be unreasonable to guess they could be storing the pass in plain text format. Then again, maybe they have some o' dat special decryption algorithm + salt

02-29-2016, 03:11 PM	#67
dynastoned mmm yeah! Industry Role: Join Date: Feb 2005 Location: roseville, ca Posts: 5,061	i don't know why they have limitations on password length anyway