Someone has my database. MD5 to text possible??

Hello,

A hacker has stolen my forum database, its a vBulletin 3.8.2 and he showed me a screenshot of the table 'users' where the password is shown in MD5, so my question is. Is that person going to be able to convert the MD5 to text and know the passwords of all the users of my forum???

Thank you.

 

Vbulletin passwords are md5 with salt its very tough to crack it..

 

MD5 is a hash. Hashes are one way so you cannot discern the users password just by inspecting the hash. They would have to brute force the MD5 values or use something like the MD5 lookup database that exists online.

Focus on identifying and closing whatever hole allowed them to get a copy of your database. The MD5 issue is relatively minor compared to that.

 

so that means that they can't get my users password by having my database?? .. All i want to know is if my users passwords are secured.

 

Brute force/dictionary attack is the only way, so if you have users with passwords like abc123 the hacker might be able to find them. Btw, vbulletin stores the salt value in the users table so it only makes the brute force attempt a bit slower (hash is calculated as md5(md5(cleartext) . salt) )

 

Mostly your passwords are safe.. only very easy passwords could be hacked if the pass if somewhat not a normal word it will be tough

 

Thank you all for your answers. This hacker uploaded all the info. of the table users of my Vb forum to rapidshare and give us the link. As you said Bohra, only the easy passwords were decrypted but fortunately as I always say to my staff to use strong passwords he couldn't get any password from the staff. I already send mass PM's to my users telling them to change their passwords.

thank you all for your help.

 

In case, you may force user to change password.
That's a mod for vb2, not sure it'll work on 3.8.2

 

Vbulletin has a function i guess change password after so many days you can use that

 

As said, best thing would be to force people on your forum to change passwords. It might be the best thing to do especially if it is a smaller forum. I would not like for someone to hack my mysql database to get all the passwords.

 

Force members to reset password is a security feature in 3.8.x. Just look in your admincp

 

If the passwords are common words or dictionary words they can be cracked using services like http://www.md5decrypter.com/ but if they have unusual, custom passes that would be too hard!