charp Posted May 5, 2005 Share Posted May 5, 2005 I run a site hosted here by TCH for my school and I've just learned that one of my students has hacked the passwords for my .htaccess protected directories. Word is that he used a hacking program called "John XXX XXXXXX" [i won't spell out the entire name just to be safe] to get to my passwords. Can anyone say if this is indeed possible? If yes, what in the world can I do to securely protect access to these directories if any teenager with a freely downloadable hacker application can access my passwords? I really need some advice here and fast. Please help! Thanks in advance. Quote Link to comment Share on other sites More sharing options...
stevevan Posted May 5, 2005 Share Posted May 5, 2005 I haven't heard of that, but then again, that's not to say that it's not possible. Hopefully some of our more "security-wise" family members will chime in here. Quote Link to comment Share on other sites More sharing options...
Guest Serpentine Posted May 5, 2005 Share Posted May 5, 2005 (edited) Is it possible, sure. But those programs are best at getting weak or waker passwords. I would get AnyPassword and change all of your passwords. This program generates and stores your passwords so you do not have to remember them. I have mine set to at least 24 characters for my passwords using upper and lower-case, numbers and symbols. It takes quite a bit to get to that kind of password. I would wait and see what some of the more security minded folks here have to say. Edited May 5, 2005 by Serpentine Quote Link to comment Share on other sites More sharing options...
charp Posted May 5, 2005 Author Share Posted May 5, 2005 Serpentine, Thanks for the reply. I checked on this program and it used to crack "weak" passwords on Unix systems. I wonder if "weak" simply means short passwords that don't make use of upper and lower case characters along with numerals and symbols. If making my password "strong" doesn't require some sort of special encoding or hashing, then big complicated password here we come. Could it be that simple? As you suggest, I would still like to hear from some serious security gurus. Quote Link to comment Share on other sites More sharing options...
TCH-Dick Posted May 5, 2005 Share Posted May 5, 2005 A weak password would be: less than 8 characters consist of only lower case letters a common dictionary word I know what program you are referring to, it uses a word list and requires access to the file/files storing the passwords. So the only way that someone could have done this is if they were able to access your files. Quote Link to comment Share on other sites More sharing options...
Striver Posted May 5, 2005 Share Posted May 5, 2005 Serpentine, If making my password "strong" doesn't require some sort of special encoding or hashing, then big complicated password here we come. Could it be that simple? <{POST_SNAPBACK}> Here is a good article on creating strong passwords http://www.verchi.com/tech/pass.htm Lee Quote Link to comment Share on other sites More sharing options...
MikeJ Posted May 5, 2005 Share Posted May 5, 2005 Everyone pretty much covered the bases already, but I'll reemphasize the biggest point and that is not to allow *anyone* to gain access to the password file. Once someone has access to or a copy of the hashed passwords, it's relatively simple to crack the easier ones. All it takes is cpu time. Quote Link to comment Share on other sites More sharing options...
borfast Posted May 5, 2005 Share Posted May 5, 2005 I was just going to say what Mike already said. If he used that John-etc (it's probably the best known password cracker, btw ) it means he had access to the password files. All you have to do is remove him the possibility of accessing the password files and I'm pretty sure he won't be able to get into your site again. If he does, then you're probably dealing with someone who has a bit more knowledge than usual nad that will require some other measures. But I wouldn't expect that Quote Link to comment Share on other sites More sharing options...
charp Posted May 5, 2005 Author Share Posted May 5, 2005 All you have to do is remove him the possibility of accessing the password files and I'm pretty sure he won't be able to get into your site again. <{POST_SNAPBACK}> Thanks everyone for the advice. I will definitely go for a STRONG password. However, I'm not sure how to restrict access to the password file. I believe the .htaccess file is in the root directory and that the passwords are actually outside the root directory -- perhaps someone at TCH can clarify this point. These files are generated and placed by the CPANEL interface, so I'm not sure what I can do to secure these files. Quote Link to comment Share on other sites More sharing options...
Beltza Posted May 5, 2005 Share Posted May 5, 2005 Note that if you are using 'Basic' authentication, your username and password are passed from the client to the server in plain text across the network. Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across. Using the 'Digest' authentication type solves this problem, but is more difficult to implement and is not supported by all browsers. Read more about it in the Apache documentation: http://httpd.apache.org/docs/howto/auth.html. Quote Link to comment Share on other sites More sharing options...
charp Posted May 5, 2005 Author Share Posted May 5, 2005 Anyone listening with any variety of packet sniffer will be able to read the username and password in the clear as it goes across. <{POST_SNAPBACK}> So, that would be an alternate way to discover the password without using a cracking tool such as John XX. But in this instance, it appears that the cracking tool was use and not a packet sniffer. That leaves me with the big question of how did this student gain access to the password files? Wouldn't he need access to my hosting account to also have access to the password files? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.