Member Avatar for AssertNull

Howdy! AssertNull here. I just created a new account. I'm not engaging in sock-puppetry here and you won't find 100 upvotes and comments about how helpful AssertNull is in answering questions and I won't be answering programming questions under this account if I can help it. The other account is Ben_21 (side note: I never typed in Ben_21 for the user name. I typed in Ben Richards of Running Man fame. What happened?) There is a point to this, however. I've been getting contacted/spammed under my gmail account associated with AssertNull, so I've created a throwaway gmail account to start anew with forums, etc. Note: I'm not accusing Daniweb of spamming me. I know it's not Daniweb. I'm just pointing out that the underlying gmail account is the same. I'm hoping that the Daniweb mods/admins or anyone who understands forums can answer a few generic forum questions to help me tighten up my online security.

Let's say AssertNull has gmail account account1@gmail.com and he used this account to register for Daniweb/Dazah. This is my main e-mail account that I give out to friends, family, etc., not a throwaway account/ Let's say account2@gmail.com is a throwaway account used solely for online forums and Ben_21 used this account to sign up for Daniweb. When account2@gmail.com was created, gmail asks for a backup account and phone number in case you lose your password. Let's say I typed in my real phone number and account1@gmail.com as those backups when creating account1@gmail.com.

My question is this. Can Daniweb (or any other forum or anyone who knows about account2@gmail.com) figure out that account1@gmail.com exists and is controlled by the same person who controls account2@gmail.com? Does registering for Daniweb (or anywhere else) using account2@gmail.com allow Daniweb to figure out who my account2@gmail.com contacts are? More importantly, if account2@gmail.com is compromised, does that compromise account1@gmail.com? account1@gmail.com is the important one with real human contacts that I don't want pestered. account2@gmail.com is, as mentioned, a throwaway.

I had a security breach very likely stemming from someone abusing my registration info (to repeat, not Daniweb) and I'm doing damage control. In particular, I haven't been particularly good about creating different passwords for all accounts, so if my forum account's password is "1234", I assume some hash of "1234" is kept in the forum's database for authentification, so the bad guy has access to that hash value? Suppose account1@gmail.com had password "1234" as well. Could the bad guy use that hash to break into account1@gmail.com?

  • 4 Contributors
  • 10 Replies
  • 1K Views
  • 2 Weeks Discussion Span
  • Latest Post Latest Post by Dani
Member Avatar for AssertNull

OK, no takers. Probably too long, as usual. Let's try this, shorter...

If a bad guy has your username, your password hash, but not your password, what damage can they do if you do not change passwords? And will all password hashes of the same password be the same? Finally, is the actual password stored anywhere but on my own computer (does the server store my password anywhere or just my password hash)?

Member Avatar for rproffitt

While my answer is it's low risk, not once did Google tell me the password. ONLY GOOGLE might answer all your questions.
Read https://www.quora.com/How-does-Google-store-passwords

The better programmers never store the password, but the result from some one way encryption. So to decrypt the attacker has to run the encryption some ludicrous number of times to find that "this" encrypts to "*#&1". Now it may be possible to make a database of hashes but if the salt changes, that blows up.

Is the actual (gmail) password stored elsewhere? Most Android phones!
Then again, the five dollar wrench is faster. Read https://www.explainxkcd.com/wiki/index.php/538:_Security

Member Avatar for AssertNull

The five dollar wrench is indeed faster.

Okay, so I register for the forum at badguy.com. I pick my password "1234". They use a cutting edge hash formula called "addone", so "1234" hashes to "1235". We're assuming here that the "subtractone" un-hash function doesn't exist yet. Now does "1234" ever make it past my personal computer or does only "1235"? If badguy.com never has "1234", then badguy.com can't steal or lose "1234", it can only steal or lose "1235".

As far as where "1234" resides, it resides on my USB Drive in the text file "passwords.txt" with all the rest of them. Probably not the brightest thing to do, but really who besides the five dollar wrench goon could defeat that? In addition, they're stored somewhere in Chrome in a cookie or an SQLite database or wherever. And on my phones in Chrome too.

So badguy.com certainly has "1235" and Google has "1235" since I'm using the same "1234" password there too. Can badguy.com use the hash, "1235", to log in to Google? I'm actually not too worried about Google. Well I am, but for different reasons.

Member Avatar for cereal

In addition: if the hash is generated by a salted md5 or sha1, the attacker can generate a string that outputs the same hash, it does not need to find the exact password, it just need to find a collision. See:

That would not work on Google, but it can work on other web services that are storing passwords as md5 or sha1 hashes. In some cases, you could see that the collision string does not work, for the only reason that the Z webiste is storing passwords in plain text :D

If I can suggest, change the passwords everywhere and activate the 2FA:

Also, it's a good practice to use plus addressing when signing in new services, as example name+zwebsite@gmail.com so, if you get spammy messages, you have a chance to find out the source. Plus addressing also works in Hotmail.

By the way, I use this service to get data breaches notices:

It works well.

commented: Exploits. Exploits everywhere (insert meme here) +11
Member Avatar for rproffitt

About 1235. Who said badguy and google use the same one way hash and salt? The entire reason for custom salt is to mitigate what you envisioned.

Member Avatar for AssertNull

About 1235. Who said badguy and google use the same one way hash and salt? The entire reason for custom salt is to mitigate what you envisioned.

Good. That's what I wanted to hear. Makes me feel slightly better. Actually this whole five dollar wrench thing is popping up in my head. No one's threatened me with a wrench, but I'm not 100% sure someone's not physically gaining access to my laptop or that USB Drive. This might be changing from someone knowing my password to knowing my locker combination or having my office key. Hope not.

Member Avatar for Dani

Can Daniweb (or any other forum or anyone who knows about account2@gmail.com) figure out that account1@gmail.com exists and is controlled by the same person who controls account2@gmail.com?

If you log into Dazah or another app by using the "Login with Google+" button, then it pulls in all of your Google info into said app. One of the things the app might be able to retrieve should it choose to do so is all known email addresses attached to the Google account you chose to log in with. If Google is associating both emails with an individual Google account, and you log into third party apps with said Google account, it's possible to retrieve both emails.

account1@gmail.com is the important one with real human contacts that I don't want pestered.

We are able to get access to your email, not the email of any of your contacts.

if my forum account's password is "1234", I assume some hash of "1234" is kept in the forum's database for authentification, so the bad guy has access to that hash value?

This is obviously different for each forum/app you choose to use. Some are more secure than others. Some simply use MD5() while others use BCrypt, etc. Some might even store your password in the database plaintext for heaven's sake! Whenever you create an account anywhere online, you need to be aware that your login credentials are only as safe as the strength of the encryption used on your password multiplied by the likelihood that their database servers don't get hacked.

Passwords are meant to be one-way encrypted in the database, but rainbow tables exist.

Member Avatar for AssertNull

pulls in all of your Google info into said app.

Define "all". Every email I've ever written? Every website I've ever visited? My contacts?

We are able to get access to your email, not the email of any of your contacts.

I never even considered THAT. My question is if I logged in using Google+ and joe@joeswebsite.com was one of my Google contacts, would you know that?

Passwords are meant to be one-way encrypted in the database, but rainbow tables exist.

I'm dealing with someone who quite simply doesn't care about responsibly storing my info and might be doing the hacking himself. So about the part of storing my password in plaintext, that seems to answer my earlier question about whether the password is actually sent from me to them as opposed to just the password hash. They can't abuse my password if they don't have it. Clearly they have it.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.