Plaintext Liker Social Network - needs help prioritizing security
by AngryWeirdo - May 02, 2021 at 07:02 PM

We are sorry, but Liker is done beta testing and is temporarily down for a BIG upgrade.
Liker 2.0 is coming soon(early May)and it will blow your socks off! We’ll send all of our users an email when we’re back in style...

Idea: dehash a 100 line file and post your progress in a link below. This is time-sensitive but due to the "bcrypt" difficulty, it's impossible to dehash 364k user hashes

=> I'm providing my progress in the liker.potfile for free to get started. Made up example :    $2a$08$kdflblahblahblahblahblah:trustno1

A social network geared toward leftie/democrats was hacked and the leak posted here:

  •  If they're opening in the next week or so, I think it'd be great if we could increase awareness that their passwords are REALLY bad
  • Let's try to dehash the passwords to encourage social networks to take password difficulty more seriously and also consider prioritizing security more in general or

  • I've broken (only) the hashes into 100 line increments under /splitt/hash.txt*
  • rockyou.txt can be found here: rockyou.txt wordlist - GitHub › releases › download › data › rockyou
  • Each 100 line file takes about 5 days using my AMD GPU using the command:
    % sudo hashcat -w 3 -m 3200 -a 0 -O --potfile-path ~/.hashcat/liker.potfile --session LIKER -D 1,2 hash.txt.azz rockyou.txt

If you have access to the "users.csv" in the Liker thread above, there is also a perl "" to merge the potfile with the users.csv file (see the other raidforums thread)

See attached.
Latest potfile is here:

Hopefully others can drop their potfiles from hashcat into the a readable location and I'll keep merging.
If they are going through the effort of making an entirely new website, why wouldn't they have users sign up again or reset passwords?
(May 02, 2021 at 09:18 PM)verking Wrote: If they are going through the effort of making an entirely new website, why wouldn't they have users sign up again or reset passwords?
Never underestimate developer laziness.

I see two options:
1) they send everybody a password reset link (issue: such links often expire in 24hrs and if the users don't expect them, they're likely to go unheeded)
2) they wait until the person logs in (then offers them a reset link).
=> This is what happened with UtahExchange hack, where users did nothing, or reset it back to the same password anyway

Option #2 is better because users can still log in (no obstacles) and passwords still get reset. No obstacles => Eyeball metrics rise faster => Investors happy
Option #1 is 'safer' if you assume that the passwords are exposed as close-to-plain-text => People may give up if link password reset expires too quickly (users are also lazy)

Developers know that the passwords were hard to break so they'll likely go with Option #2.

Possibly Related Threads…
Thread Author Replies Views Last Post
DATABASE OF THE SOCIAL SECURITY OF PERU sombraman1919 9 2,510 April 26, 2021 at 11:08 AM
Last Post: Scrub
SQL All3in 2 1,309 March 10, 2021 at 06:21 PM
Last Post: verking
CSV 116222 (mails, names, etc) slut 11 2,606 March 08, 2021 at 07:17 AM
Last Post: IPegFembois

 Users browsing this thread: 3 Guest(s)