Pink Poogle Toy Forum

The technicality here is that cookies are not linked to your password. Cookies, more often than not, store a random token that authentifies that you are who you say you are. If you lose/duplicate the token, you only comprise the current session (which should be revokable or locked to your IP / Browser anyway), rather than the ability to create new sessions (hence it's useful to have a password-prompt on important pages of the website -- for example, account details).

Simple analogy: Suppose your password is "password". You then log-in to the server using the password (checked against the stored version in their database) -- if you pass the check, the server generates a random token to give you in a cookie: "apples", for example. Now, each time you talk to the server, you include your session key: "apples", and not your password ("password").
Now, suppose got a copy of your cookie -- only the currently active session is compromised, not your password. In other words, should the session be terminated (or verified using the user-agent tag of the browser you're using, or the IP you're accessing the site from), whoever stole the cookie can not access your account or get a new session, since your password ("password") is not compromised.



Speaking of MD5: reversal databases do exist -- and chances are you can get the MD5 hash of common words reversed pretty easily. And since no hashing algorythm is collision-free, you don't even have to get the right password -- as long as it fits the hash, you've won.

No.

Neopets' passwords are based on you password, and yes encoded with MD5*. But the entire point of MD5 is that it's IMPOSSIBLE to go in the reverse direction. You CANNOT figure out a password from the cookie. End of story.

If you want more information, here. If the cookie were only an MD5 hash of the password, then you could do what's called a brute force attack: you could make a list of all the possible passwords, and find all their MD5 hashes, and try to find one that matched. But that won't work with neopets cookies, since what's being stored there is more than just your password. I'd hazard a guess it involves some timing data based on when you last changed it, and also some random data. To brute force this would be physically impossible. Computers are not fast enough.

* Or possibly some other similar algorithm.




It can be done that way, but that's not how it is here.


(edited twice to clarify things)

I think these last few posts show why a lot of people who were spreading info about this "hacker" on the neoboards and petpages were warned: they may be sure they know what they're talking about, but be mistaken. It makes sense that TNT wouldn't want any non-team member "educating" the masses on Neopets messageboards when they don't have the full story.

That's a great point, Cranberry. Still, I think it'd be best if they just addressed it in the news features, with an explanation and advice...

I never disputed that. It's not an either/or situation here -- it's not "either they let uninformed people spread incomplete info on the neoboards, or they post something in the news." Yes, they should definitely let us know something was wrong and has now been fixed, but that's a separate issue from the topic of this thread, which is them warning people and clearing petpages. All I said in my posts was that this behavior is understandable, from a business and safety perspective.

DOH. Why'd I put that?! Sorry. =P

Hunter Lupe and dolphinling.. greatest apologies.

I blame it for the post at 4:16 AM, but that's no excuse.

So everyone.. disregard previous post.

(Of course, this goes hand in hand when I originally thought it was encoded in SHA1)

So is the whole cookie grabber fiasco thingover yet. I need to rs.