Cryptohaze.com

[Sc00bz]

On page http://www.cryptohaze.com/gpurainbowcracker.php your GPU performance table is mislabeled a nVidia 8800 GTX OC is faster than a nVidia GTX295 (single core).

Ohh yeah on page http://www.cryptohaze.com/passwordsecurity.php "Password Storage: You're doing it wrong if: .... You let users log in with plaintext passwords over unencrypted HTTP." Don't you do that? I know FRT and 3.14.by do the same thing and Hashkiller uses Simple Machines Forum which stores sha1(user + pw) in the database and during log in sends sha1(sha1(user + pw) + salt) on the first log in attempt but after that it sends plain text. Which I'd say is not secure either. Personally I'd use a self signed cert or Javascript RSA to send "md5(user + pw) xor salt," but godaddy does have cheap certs $25/yr.

[Bitweasil]

Thanks for the suggestions, I will fix those benchmark errors.

The old Cryptohaze login had some javascript mangling, and I *think* phpBB3 does as well, but I should probably check that.

[Sc00bz]

POST /forum/ucp.php?mode=login HTTP/1.1
....
Content-Length: 86

username=sc00bz&password=password removed&login=Login&redirect=.%2Findex.php%3F

That is my real password too including the [ i] [ /i] ohh right [] would be %5B and %5D damn you got me it's not

[Bitweasil]

Oh FFS. Yeah, looks like you're right. I'll see if I can find a patch to fix that...

[Sc00bz]

Well besides a self signed cert which looks bad but is safe because it's a one time warning and the user will know when it changes and Javascript RSA which can be man in the middled without the user knowing. You can modify the hash function for phpBB so it does md5($user . $pw) before it does the normal phpBB. Only problem is that you will have to check with ajax first to see if the user has the newer hash then you can send md5($user . $pw) instead of just the paint text password.