![[HSX] HeadShot Xtreme is officially recognized by the Central Outpost as a genuine gaming organization.](https://www.headshotdomain.net/files/coRpSE/cnopseal_X74-MEW1.png "[HSX] HeadShot Xtreme is officially recognized by the Central Outpost as a genuine gaming organization.")
The PwnGuard Modification caught my attention mostly because "Data Breaches" seem to be common theme in most tech media circles and has even hit main stream news platforms. That being said, I have to ask how accurate you believe the results of this mod produces?
Question #1: If the mod takes the input password, and converts it to SHA1 as well as uppercasing, then passes it to a third party website ( strtoupper(sha1($password)) ) . How accurate do you think those result matches are going to be considering that most websites do not even use similar crypt processes? Example:
d802f03b1278597a441a71b8a3fc0b32bb08cd46 AND D802F03B1278597A441A71b8A3fC0B32BB08CD46 are not identical inputs, yet producing the first one, and submitting it as the second method is not going to produce an accurate check.
For this check to even be close to accurate, you would have to take the input string, hash it with the top 10 most common methods INCLUDING the md5(md5(md5(md5(md5( method, and submit them as checks each to themselves.
Question #2: Digging around the domain being submitted, there does not appear to be much information about what hash the passwords are being compared to, or if ( or can it be ) compared to a multitude of other hashes. Meaning: If the mod submits the sha1( string, but can not be compared to md5(md5(md5(md5(md5( (THIS is the method Evo uses) string, what would be the point of the check?
Question #3: Probably the most dangerous aspect, but why submit any password, let alone an unsalted password be broadcasted to a third party website? Would any of you submit your databases of passwords to be tested? If not, why are you publishing each log attempt to a third party website that you are unfamiliar with?
Question #4: Is it my memory that has faded so badly, but I could have sworn that Evo used a salting method at some point in history. Why is a salting method still not being used?
Question #1: If the mod takes the input password, and converts it to SHA1 as well as uppercasing, then passes it to a third party website ( strtoupper(sha1($password)) ) . How accurate do you think those result matches are going to be considering that most websites do not even use similar crypt processes? Example:
d802f03b1278597a441a71b8a3fc0b32bb08cd46 AND D802F03B1278597A441A71b8A3fC0B32BB08CD46 are not identical inputs, yet producing the first one, and submitting it as the second method is not going to produce an accurate check.
For this check to even be close to accurate, you would have to take the input string, hash it with the top 10 most common methods INCLUDING the md5(md5(md5(md5(md5( method, and submit them as checks each to themselves.
I DO NOT SUGGEST THIS - See Next Question
Question #2: Digging around the domain being submitted, there does not appear to be much information about what hash the passwords are being compared to, or if ( or can it be ) compared to a multitude of other hashes. Meaning: If the mod submits the sha1( string, but can not be compared to md5(md5(md5(md5(md5( (THIS is the method Evo uses) string, what would be the point of the check?
Question #3: Probably the most dangerous aspect, but why submit any password, let alone an unsalted password be broadcasted to a third party website? Would any of you submit your databases of passwords to be tested? If not, why are you publishing each log attempt to a third party website that you are unfamiliar with?
Question #4: Is it my memory that has faded so badly, but I could have sworn that Evo used a salting method at some point in history. Why is a salting method still not being used?
— Doug wroteQuestion #1: If the mod takes the input password, and converts it to SHA1 as well as uppercasing, then passes it to a third party website ( strtoupper(sha1($password)) ) . How accurate do you think those result matches are going to be considering that most websites do not even use similar crypt processes? Example:
d802f03b1278597a441a71b8a3fc0b32bb08cd46 AND D802F03B1278597A441A71b8A3fC0B32BB08CD46 are not identical inputs, yet producing the first one, and submitting it as the second method is not going to produce an accurate check.
For this check to even be close to accurate, you would have to take the input string, hash it with the top 10 most common methods INCLUDING the md5(md5(md5(md5(md5( method, and submit them as checks each to themselves.[/align]
You're right that different sites use different password hashing methods, and many apply salts, multiple rounds, or even proprietary schemes. However, PwnGuard is not attempting to guess how a site hashes your password. It checks whether a plain-text password (what the user inputs) has ever appeared in a known data breach.
HIBP (Have I Been Pwned) uses the SHA1 of the plain-text password in uppercase, which aligns exactly with how their k-anonymity API expects it. So if a user enters “mypassword123”, we hash it with SHA1, uppercase it, and send only the first 5 characters of that hash to HIBP. HIBP responds with a list of suffixes, and we check locally if the full hash is found in that list.
It’s not meant to match how Xtreme or any system stores passwords, it’s a breach check, not a replacement for login authentication.
— Doug wroteQuestion #2: Digging around the domain being submitted, there does not appear to be much information about what hash the passwords are being compared to, or if ( or can it be ) compared to a multitude of other hashes. Meaning: If the mod submits the sha1( string, but can not be compared to md5(md5(md5(md5(md5( (THIS is the method Evo uses) string, what would be the point of the check?
HIBP only supports SHA1 hashes of plain-text passwords, not MD5, not salted hashes, and definitely not deeply nested schemes like md5(md5(md5(...))). That’s by design. It's a breach notification service, not a brute-force matcher of unknown hashing schemes.
So no, we don’t submit multiple variants of the password using different hashing methods, because that would violate the entire point of using a privacy-preserving API, and be incredibly insecure and inefficient anyway.
— Doug wroteQuestion #3: Probably the most dangerous aspect, but why submit any password, let alone an unsalted password be broadcasted to a third party website? Would any of you submit your databases of passwords to be tested? If not, why are you publishing each log attempt to a third party website that you are unfamiliar with?
This is one of the biggest misconceptions. We never send the actual password, nor even the full SHA1 hash.
Here’s what happens:
- User types in their password.
- It’s hashed with SHA1 locally.
- We uppercase the result.
- We take only the first 5 characters of that SHA1 hash.
- That 5-character prefix is sent to
Please login to see this link
Get registered or Log in
HIBP then returns a list of matching suffixes (the remaining 35 characters) along with breach counts. This method is known as k-anonymity, it ensures HIBP never knows the original password or its full hash.
You can read about the privacy model here:
| Please login to see this link Get registered or Log in |
So the user’s actual password, or its full hash, is never exposed. Nothing identifiable is ever logged or transmitted.
I have a post about this mod here, and a video I did explaining this, (all in the first post).
| Please login to see this link Get registered or Log in |
— Doug wroteQuestion #4: Is it my memory that has faded so badly, but I could have sworn that Evo used a salting method at some point in history. Why is a salting method still not being used?
Xtreme previously used an MD5-based hashing system, but that is no longer the case. As of last year, Xtreme has moved to using PHP’s password_hash() function, which includes strong salting and modern hashing (e.g., bcrypt) by default. Whis was done in responce to a security issue that I found that could be exploited by bad actors.
PwnGuard doesn’t interfere with or replace that system, it works alongside it by checking whether the user’s chosen password is already known to have been leaked in previous breaches. If it has, the user is warned or prevented from using it, even before it’s hashed and stored securely using password_hash().
So rather than being a weakness, PwnGuard is an extra layer of protection before password storage ever happens.
Overall, to simplify everything,
- PwnGuard doesn’t try to reverse engineer hashing schemes.
- It checks plain-text password exposure, not how they are stored.
- No real passwords or full hashes are sent anywhere.
- It uses HIBP’s secure and pretty well documented API built with privacy in mind.
- It helps raise awareness, especially for those that reuse passwords across multiple places.
So, to answer your original question which is the topic title, "Is PwnGuard Mod not contributing to the existing problem?", my response is, Absolutely not. Not doing anything is to me contributing more than anything to the existing problem, which is growing. The people that stand to the side, bitch and complain, take no real action on their part, offer no good feedback, and overall stand on the sidelines stomping their feet like children when people don't bend to their every need is what is contributing to the existing problem.
If I come off as annoyed, I'll admit, part of my reaction comes from dealing with similar debates in the past, especially from some of the old Raven community, where the HP mod was called intrusive, among other things. So I may sound a bit blunt here.
With that said, I do want to be honest, and your post, especially the title, comes off a bit provocative. It frames the mod as potentially harmful without first checking the core details, which makes it feel more like a challenge than a request for clarification.
You raise four technically detailed questions, but I do have to ask, did you get a chance to actually look at the code or the accompanying documentation/video? For example, when you ask, "why submit any password, let alone an unsalted password to a third-party website," it seems like you might have missed how the mod uses k-anonymity and never transmits a real password or even its full hash. That’s something I covered pretty clearly in the video.
No hard feelings, I appreciate deep questions, but I’d encourage reviewing the material first so we’re all on the same page.
— coRpSE wroteThis is one of the biggest misconceptions. We never send the actual password, nor even the full SHA1 hash.
Here’s what happens:
- User types in their password.
- It’s hashed with SHA1 locally.
- We uppercase the result.
- We take only the first 5 characters of that SHA1 hash.
- That 5-character prefix is sent to
Please login to see this link
Get registered or Log in
HIBP then returns a list of matching suffixes (the remaining 35 characters) along with breach counts. This method is known as k-anonymity, it ensures HIBP never knows the original password or its full hash.
You can read about the privacy model here:
Please login to see this link
Get registered or Log in
So the user’s actual password, or its full hash, is never exposed. Nothing identifiable is ever logged or transmitted.
I went back and dug through the code and noticed the $prefex of first 5 characters... I assumed the first method would call for the 2nd precision match, but I don't see that in the curl call. Damn sure nothing pushed to third party, however it not goes back to accuracy? How does this come close to any type accuracy?
— coRpSE wroteXtreme previously used an MD5-based hashing system, but that is no longer the case. As of last year, Xtreme has moved to using PHP’s password_hash() function, which includes strong salting and modern hashing (e.g., bcrypt) by default. Whis was done in responce to a security issue that I found that could be exploited by bad actors.
PwnGuard doesn’t interfere with or replace that system, it works alongside it by checking whether the user’s chosen password is already known to have been leaked in previous breaches. If it has, the user is warned or prevented from using it, even before it’s hashed and stored securely using password_hash().
Would you be so kind as to point me to the correct file that deals with hashing? My download of evo is about a week old, was this change included within that timeframe? What I am seeing is:
/modules/Your_account/index.php
PHP: [ Select all ]
$dbpass = $setinfo['user_password'];
$non_crypt_pass = $user_password;
$old_crypt_pass = crypt($user_password,substr($dbpass,0,2));
/*****[BEGIN]******************************************
[ Base: Evolution Functions v1.5.0 ]
******************************************************/
$new_pass = EvoCrypt($user_password);
/*****[END]********************************************
[ Base: Evolution Functions v1.5.0 ]
******************************************************/
$new_pass = md5($user_password);
$evo_crypt = EvoCrypt($user_password);
//Reset to md5x1
if (($dbpass == $evo_crypt) || (($dbpass == $non_crypt_pass) || ($dbpass == $old_crypt_pass))) {
$db->sql_query("UPDATE ".$user_prefix."_users SET user_password='$new_pass' WHERE username='$username'");
$result = $db->sql_query("SELECT user_password FROM ".$user_prefix."_users WHERE username='$username'");
list($dbpass) = $db->sql_fetchrow($result);
}
if ($dbpass != $new_pass) {
//Does it need another md5?
if (md5($dbpass) == $new_pass) {
$db->sql_query("UPDATE ".$user_prefix."_users SET user_password='$new_pass' WHERE username='$username'");
$result = $db->sql_query("SELECT user_password FROM ".$user_prefix."_users WHERE username='$username'");
list($dbpass) = $db->sql_fetchrow($result);
if ($dbpass != $new_pass) {
redirect("modules.php?name=$module_name&stop=1");
return;
}
} else {
redirect("modules.php?name=$module_name&stop=1");
return;
}
} includes/functions_evo.php
PHP: [ Select all ]
// EvoCrypt function by JeFFb68CAM
function EvoCrypt($pass) {
return md5(md5(md5(md5(md5($pass)))));
} I am not seeing any function call to password_hash( ??? only md5( 5x
— coRpSE wroteSo, to answer your original question which is the topic title, "Is PwnGuard Mod not contributing to the existing problem?", my response is, Absolutely not. Not doing anything is to me contributing more than anything to the existing problem, which is growing. The people that stand to the side, bitch and complain, take no real action on their part, offer no good feedback, and overall stand on the sidelines stomping their feet like children when people don't bend to their every need is what is contributing to the existing problem.
I can't say that I whole heartedly disagree with your premise. One can easily toss gasoline on an existing fire. I tend to see more people marketing crisis, when the solution was always have been to refuse participation ( which by definition is "take no action"). We give our information out freely, then get upset when said information gets exposed by third party? Speaking of which, ill show you a project in another post that sort of aligns with this same concept ( Ugly Tool that Josh built a few years ago ).
Please do not apologize for an emotion. I am not thin skinned. At the very least, I may have just found out that my week old download is out of date. Nearly all discussions serve utility to some degree!— coRpSE wrote(Sorry, most of that annoyance is from some of the old Raven community people that got under my skin many years ago about the HP and how it was too intrusive, among other things without even the basic understanding of it.)
Do me a favor, open your mainfile.php and find on line 59, what is NUKE_EVO defined as?
I can tell you that your file does not match with what I have on my test site and what I just downloaded as the "latest build". I have a feeling, you have an outdated version. But the md5 has been gone for about a year now.
I explain it in the video.
I can tell you that your file does not match with what I have on my test site and what I just downloaded as the "latest build". I have a feeling, you have an outdated version. But the md5 has been gone for about a year now.
I went back and dug through the code and noticed the $prefex of first 5 characters... I assumed the first method would call for the 2nd precision match, but I don't see that in the curl call. Damn sure nothing pushed to third party, however it not goes back to accuracy? How does this come close to any type accuracy?
I explain it in the video.
— coRpSE wroteDo me a favor, open your mainfile.php and find on line 59, what is NUKE_EVO defined as?
lines 57 through 62
PHP: [ Select all ]
// Define File
define_once('NUKE_EVO', '2.0.9f');
define_once('EVO_EDITION', 'xtreme');
define('PHPVERS', @phpversion());
define_once('EVO_VERSION', NUKE_EVO . ' ' . EVO_EDITION);
define('PHP_5', version_compare(PHPVERS, '5.0.0', '>=')); — Doug wrote— coRpSE wroteDo me a favor, open your mainfile.php and find on line 59, what is NUKE_EVO defined as?
lines 57 through 62PHP: [ Select all ]
// Define File
define_once('NUKE_EVO', '2.0.9f');
define_once('EVO_EDITION', 'xtreme');
define('PHPVERS', @phpversion());
define_once('EVO_VERSION', NUKE_EVO . ' ' . EVO_EDITION);
define('PHP_5', version_compare(PHPVERS, '5.0.0', '>='));
That is the old version. We are on 2.0.10 now. My site here is still 2.0.9F, but I did all the security updates all ready to this site.
In the new version, is when we made the change and dropped the md5 hashing. I had informed the other nuke distros of the issue, but not sure if any of them have updated.