Boyah Forums

https://searchcode.com/codesearch/view/40326435/#l-1368


I came across this and there is a hashed (idk if salted) password for at least Thyme, LoTE, and Bluaki. 

It's a sql dump from I don't know where. I'm guessing NSFCD's IRC, though could be elsewhere.

if you didn't use that password elsewhere you're ok but fyi lol

is there any way to retrieve the original password if it was hashed

Quote from: squirrelfriend on April 18, 2016, 04:20:59 PM
is there any way to retrieve the original password if it was hashed

There are many variables that make the answer range from "yes" to a "theoretically yes, but reasonably no"

that meaning, given enough time and/or processing power, any password can be brute forced and/or a hash can be cracked.

If it's a weak and/or unsalted password the amount of time/power becomes significantly smaller.

If a password is "fuckyou123" someone probably already calculated those hashes.

if it's "xEK3dfjk.#%!@#39209sdkjfKJESOWVNSWdsfksj!!dk" and it's salted with #f9W18 and the UN then the salted hash and original would both need to be broken

But why? And had this been it there all this time?

Quote from: ­Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...­ on April 18, 2016, 04:25:33 PM
But why? And had this been it there all this time?

idk how long it's been up there.

I just came across it a few minutes before posting it (searched for something else related to boyah and it brought up this as a result).

looks like September 2012 was the dump. So closer to 3.5 years.

how protected are boyah's passwords?  #boyahtransparency2016

Quote from: Khadafi on April 18, 2016, 04:29:03 PM

Quote from: ­Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...­ on April 18, 2016, 04:25:33 PM
But why? And had this been it there all this time?

idk how long it's been up there.

I just came across it a few minutes before posting it (searched for something else related to boyah and it brought up this as a result).

looks like September 2012 was the dump. So closer to 3.5 years.

That could have been when my other twitter account that I used for anime purposes was compromised which I may have used that password for.

Quote from: David on April 18, 2016, 04:30:57 PM
how protected are boyah's passwords?  #boyahtransparency2016

They're salted (with 2 unique variables for each user) and hashed so they're pretty secure


if someone got full DB acess they'd get access to that hash and the 2 salt values but it'd still take a tremendous amount of time to actually crack it.

Quote from: Khadafi on April 18, 2016, 04:35:48 PM

Quote from: David on April 18, 2016, 04:30:57 PM
how protected are boyah's passwords?  #boyahtransparency2016

They're salted (with 2 unique variables for each user) and hashed so they're pretty secure


if someone got full DB acess they'd get access to that hash and the 2 salt values but it'd still take a tremendous amount of time to actually crack it.

nice.  tybjmv

My shitty password continues to be unbreakable baddood;

Given all the names there that might have been the ns2 channel on chatspike. Unless they just grabbed everybody on chatspike or the #chatspike or #nintendo channel.

But then again there's a bunch of stuff about twilightirc which I can never remember using but it looks like it was connected to http://cuccoscratch.com/

my boyah password is heinously simple. like it's a dictionary word simple lol

i started using strings of random horshit like 5 years ago but never got around to chagning boyah lol

SOMEONE HACK ME GOGOGOGO

my password is jsnake
idk why retards on outsider were allowed to be mod over me tbh

irc has pws?

Quote from: SVT on April 18, 2016, 08:59:47 PM
irc has pws?

if you registered yr nick
I never did

oic. thx for info

I used to use the same ~3 passwords everywhere, but more recently have been using unique ones.

A password I used in 2012 isn't really used anymore for any account I care about. Except maybe this Boyah one. Come to think of it, maybe I should change my password here.

It's not like anybody's going to try breaking into my boyah account anyway y/n

So, the passwords in that table are created essentially with:
1. Use the salt "lonjwxrb" for everyone (that's sufficiently random, right?)
2. Run the glibc crypt() function with md5

The strings are in a format like "$1$lonjwxrb$2YF4eBU24K2w/92MNkEEp0"
where "$1$lonjwxrb$" indicates the salt and hash type (1=md5)

#include <stdio.h>
#include <crypt.h>
int main(int argc, char *argv[]) {
puts(crypt(argv[1], "$1$lonjwxrb$"));
}
$ gcc crypt.c -lcrypt -o crypt
$ ./crypt password
$1$lonjwxrb$2YF4eBU24K2w/92MNkEEp0
I've verified that the password I used back then matches my entry. By the way, of those 415 nicks, three have the password "password". There's no "hunter2" or "jsnake".

what fucking retard used the same salt for EVERY PASSWORD

well irc is not modern by today's standards 5thgrade;
that's why there's a lot of slack clones out there

It's not a native IRC  feature though. It's the database for the NickServ bot.

exactly, no one bothers to maintain it

i sometimes use msg for my pw's other times i just forgoe the spices all together

lol list ends at 420 haha

boyah needs embedded IRC

Quote from: antmaster5000 on April 19, 2016, 08:10:44 PM
boyah needs embedded IRC

just use slack it's the same thing

i mean like practically not lit same but w/e

sure lets do it

Quote from: Khadafi on April 19, 2016, 04:21:26 PM
It's not a native IRC  feature though. It's the database for the NickServ bot.

It's not even an issue with the bot software. Atheme services (the system ChatSpike uses for NickServ/ChanServ) seems to support random salts for each password, but judging by that database dump, I guess ChatSpike's instance of it was misconfigured in 2009.

They've probably fixed it by now for new registrations and password changes.

NickServ is the closest thing to a "standard" that isn't in the RFC. Just about every IRC client supports automatically authenticating with it. Most networks have it, although some of the biggest networks are among the ones that don't.

oh shit so like does it affect other channels that were hosted on chatspike
the day i sperged on #nin10doh was weird

Quote from: squirrelfriend on April 19, 2016, 09:32:29 PM
oh shit so like does it affect other channels that were hosted on chatspike
the day i sperged on #nin10doh was weird

Yes, you can see the list of names in the link JMV gave. There are a lot of names on the list that I recognize from other ChatSpike channels who I know never joined any kind of channel related to nsf, nintendo, or even video games.

That said, there's a lot of gaming-related passwords in that list. Among them, there's "pokemon" (2 unique emails), "pikachu" (3 unique emails), "shadow", "ocarina", "gaming", and probably more that aren't in my dictionary.

well i'm glad i can't see mine they must have purged it
was #boyah hosted there

Quote from: squirrelfriend on April 19, 2016, 09:49:05 PM
was #boyah hosted there

yes, but that was way after this database dump happened

there's no data from post-2009

like i remember joining chatspike pre-2009
and i see a lot of references to "twilightirc"
And the table was supposedly generated in 2012

Though was it actually chatspike? Because a lot of the stuff in there had stuff about twilightirc.net which I didn't ever remember using but judging from an email I did register a nick there May 2009.

And then it looked like twilightirc had a bunch of to do with cuccoscratch (http://cuccoscratch.com/forum/) (A forum from an old NSider Mod)

And looking up twilightirc (http://web.archive.org/web/20070701204707/http://www.twilightirc.net/) brought up that it was hosted by Bluespider Technical Solutions which also hosts cuccoscratch.

Searching for Bluespider Technical Solutions brings up this guy's blog www.danneh.org and that same blog shows up when search the bitbucket name danneh3826 that the irc stuff is pulled from. And that guy looks like he's probably an Admin at cuccoscratch.

So I was wondering if this was an accidental leak.

Quote from: squirrelfriend on April 19, 2016, 09:58:21 PM
like i remember joining chatspike pre-2009
and i see a lot of references to "twilightirc"
And the table was supposedly generated in 2012

I think TwilightIRC is the browser-based (Java plugin) IRC client that nsiderforums used to have. Everybody who used that client shares some of the same identity fields, since only the nick was taken from their actual forum username.

Yes, the header says something about the data being printed in 2012, but the dump itself holds a copy of data from 2009. The database includes a lot of timestamp fields. The latest timestamp in there is 1252656840, which refers to Fri Sep 11 04:14:00 EDT 2009. That's from the "seen" field, which updates to present every time anybody authenticates with NickServ.

Quote from: ­Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...Ì...­ on April 19, 2016, 10:11:35 PM
Though was it actually chatspike? Because a lot of the stuff in there had stuff about twilightirc.net which I didn't ever remember using but judging from an email I did register a nick there May 2009.

And then it looked like twilightirc had a bunch of to do with cuccoscratch (http://cuccoscratch.com/forum/) (A forum from an old NSider Mod)

Actually, I think you're right.

I do see a few nicks in that list belonging to ChatSpike people I wouldn't expect to be on that network, but I guess they really did go there. The list of channel names and ircops doesn't match and there are some missing names I would expect to be there if it was ChatSpike.

well i'm glad i didn't like join the chatroom on nsf
(i much preferred ns2 over nsf during the mass exodus tbh
the drama there was hilarious)

I have no idea if I did or didn't also this document just looks like a big empty list to me

Quote from: ʜɨ�ɵ҈҈ on April 28, 2016, 12:28:13 PM
I have no idea if I did or didn't also this document just looks like a big empty list to me

go search for your email address using the find feature of your browser

ctrl+f

Quote from: squirrelfriend on April 19, 2016, 10:41:16 PM
well i'm glad i didn't like join the chatroom on nsf
(i much preferred ns2 over nsf during the mass exodus tbh
the drama there was hilarious)

though I'm wondering if maybe this had something more to do with ns2 or something. Like maybe one of those camp things, or some cross forum event, or one of those trivia things given all the nsider type names listed. Because I cannot fathom why I signed up on twilightirc.net otherwise.

ah I'm good

Quote from: ­̅̅̅̅̅̅̅̅̅̅­ on April 28, 2016, 01:09:59 PM

Quote from: squirrelfriend on April 19, 2016, 10:41:16 PM
well i'm glad i didn't like join the chatroom on nsf
(i much preferred ns2 over nsf during the mass exodus tbh
the drama there was hilarious)

though I'm wondering if maybe this had something more to do with ns2 or something. Like maybe one of those camp things, or some cross forum event, or one of those trivia things given all the nsider type names listed. Because I cannot fathom why I signed up on twilightirc.net otherwise.

yeah there might be a point to this
was pelord ever on ns2
but as you said, it also was associated with hen and cuccoscratch apparently

Yeah pelord was a mod on ns2 at some point. Don't know if he still is or still goes there.

(Or somebody named pelord anyway)