I Just Logged In As You: How It Happened

In my previous post I Just Logged In As You, I disclosed that someone was logging in as me -- specifically because they discovered my password. But how?

This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2009/05/i-just-logged-in-as-you-how-it-happened.html

Ok, I think i’ve finally heard enough, and tried it enough to agree that openid is the right thing to do.

Knowing the salt and having the hash lets you do a dictionary attack on your own machine(s), so you don’t need to use a MD5 database.

Trying to maintain unique passwords for each and every site is a real pain. Even the best methods are dependent on a master password, which comes with its own problems, not the least of which is that you can lock yourself out of everything.

The faster some kind of biometric scanner comes equipped by default on every network-capable device, the better.

I am going to go ahead and guess your password was: wumpus

Could someone please explain to be – simply but very exactly – how a salted password would help?

From what I know, you store the salt in plaintext(-equivalent) form to concatenate the password with in order to protect against rainbow table attacks. A dictionary attack against a single password, which this was, is not harder with a salted password.

I cannot stand people who say Hahaha I hacked you because your password is too weak which by the way has never happened. In my opinion it’s the laziest hacking I can imagine; using rainbow tables? Even lazier. Come on, get real, come up with a new exploit or something that allowed you to find the password.

But what makes me even more bleh is the actual guy in this case: oh you signed up with a password on a site I used to work for. HAHA, that’s probably the most unethical thing I’ve ever heard of, calling yourself ethical is anything but… That is called phishing, plain and simple; go look it up. It’s so sad though, I’m so sad that people don’t even try to find new exploits and just use a client side phishing attack or some stupid thing like that.

Anyway, have fun with your hopes of being someone who matters. Clearly the only thing you’ve done is hoped that Jeff would hire you in security; my advice, don’t bother you can find this kind of experience in any 2-bit network security firm.

If my OpenID password gets owned, then I’m owned on several sites.

  1. Generate the MD5sum of your password (e.g. http://www.md5generator.com/ )
  2. Google it

Yep, excellent advice.

How is an idiot supposed to work out which are the secure providers?

See above email comment. You use email, yes? Better hope they do passwords right!

most of the internet backed up 37 Signals when it came out they weren’t storing salts with their passwords.

Ooh, that’s really bad. I hadn’t seen that.


this is nothing. i once signed up for an online dating site my friend recommended.

it was piece of crap. design painful to the eye. horrible user interaction.

but something happened the next day that scared the shit out of me. I GOT MY PASSWORD EMAILED TO ME.

i deleted my account the next day. but i have a feeling that the password i used for social networking websites and news aggregation sites is still on their machine, waiting for someone to harvest it along with password of all the other users.

How is that any different than your email password getting owned? Then you’re owned on EVERY site, courtesy of reset my password via email links

Indeed, providing the hacker knows EVERY site you visit. Do OpenID providers not allow you to rest passwords via email?

i should mention too that passwords are apparently emailed to users of that dating site on a regular basis, maybe everyday.

i tried to email the guy who developed/maintain the site. didn’t hear from him.

Erm… one prolonged and interwoven set of weak moments, than.

Since we are all frank and honest on the subject of broken security here… when will these oranges be uprooted and cease being pine-apples in disguise?

This orange thing has been more than the required moment of weakness now. And in case anyone (Jeff?) still wanted to retort: Well I don’t see any spam I’d like to repeat: this site is for the users not against the spammers.

Right now, the real users are paying the cost to provide no protection against the absent spammers.

I forgot to enter the correct word again. Maybe the word is not correct anymore?

@Matt (and WhaleDawg)

I do something similar to what Whaledawg does.

Google mail = gmailyaba6319
Yahoo = yahooyaba6319
Stack Overflow = soyaba6319

It isn’t perfect but it is a heck of a lot better than using the
same password everywhere.

orly? If I admin’d gmail and saw that your password was gmailyaba6319 and that you also had a yahoo email address, I know which password I would be trying first.


While your version may be slightly more obfuscated, applying any pattern to your passwords is weakening them. And since you admit to using KeePass and rarely entering them by hand, you could just as easily be using something random and strong.

Oh, and for those who claim my password was a dictionary word, and thus this is a de-facto dictionary attack. Well, I just went to


… and entered my old password there:

The word you’ve entered isn’t in the dictionary. Click on a spelling suggestion below or try again using the search bar above.

Like I said, it ain’t a dictionary word! It might be in cracking tables somewhere, but it isn’t a dictionary word, at least not of the type you can use in Scrabble without getting challenged…

Is it worth revealing the open id provider?

Will this user come forward to claim the Stack Overflow Hacker badge? I don’t see any wrongdoing against SO or you, since they were nice enough to point out the vulnerability and demonstrate it. You also got two good blog posts out of it. I could imagine the owner of the other site (the one the hacker helps out at, that doesn’t salt their passwords) might be a little upset if (when?) word gets out that they were hacked by a trusted volunteer, but it sounds like they were warned about using salt awhile back.

This was a good read!

you should award hacker badge now… because next time next person might not rather tell you :slight_smile:

jeez Jeff arent you a bit afraid now, its official, you have a stalker.

Is using OpenID, or Windows Cardspace for another example, beyond most users tolerance or attention span? How can we get easier?

I always salt AND pepper my passwords. :stuck_out_tongue: