In my previous post I Just Logged In As You, I disclosed that someone was logging in as me -- specifically because they discovered my password. But how?
Knowing the salt and having the hash lets you do a dictionary attack on your own machine(s), so you don’t need to use a MD5 database.
Trying to maintain unique passwords for each and every site is a real pain. Even the best methods are dependent on a master password, which comes with its own problems, not the least of which is that you can lock yourself out of everything.
The faster some kind of biometric scanner comes equipped by default on every network-capable device, the better.
Could someone please explain to be – simply but very exactly – how a salted password would help?
From what I know, you store the salt in plaintext(-equivalent) form to concatenate the password with in order to protect against rainbow table attacks. A dictionary attack against a single password, which this was, is not harder with a salted password.
I cannot stand people who say Hahaha I hacked you because your password is too weak which by the way has never happened. In my opinion it’s the laziest hacking I can imagine; using rainbow tables? Even lazier. Come on, get real, come up with a new exploit or something that allowed you to find the password.
But what makes me even more bleh is the actual guy in this case: oh you signed up with a password on a site I used to work for. HAHA, that’s probably the most unethical thing I’ve ever heard of, calling yourself ethical is anything but… That is called phishing, plain and simple; go look it up. It’s so sad though, I’m so sad that people don’t even try to find new exploits and just use a client side phishing attack or some stupid thing like that.
Anyway, have fun with your hopes of being someone who matters. Clearly the only thing you’ve done is hoped that Jeff would hire you in security; my advice, don’t bother you can find this kind of experience in any 2-bit network security firm.
this is nothing. i once signed up for an online dating site my friend recommended.
it was piece of crap. design painful to the eye. horrible user interaction.
but something happened the next day that scared the shit out of me. I GOT MY PASSWORD EMAILED TO ME.
i deleted my account the next day. but i have a feeling that the password i used for social networking websites and news aggregation sites is still on their machine, waiting for someone to harvest it along with password of all the other users.
Erm… one prolonged and interwoven set of weak moments, than.
Since we are all frank and honest on the subject of broken security here… when will these oranges be uprooted and cease being pine-apples in disguise?
This orange thing has been more than the required moment of weakness now. And in case anyone (Jeff?) still wanted to retort: Well I don’t see any spam I’d like to repeat: this site is for the users not against the spammers.
Right now, the real users are paying the cost to provide no protection against the absent spammers.
I forgot to enter the correct word again. Maybe the word is not correct anymore?
Google mail = gmailyaba6319
Yahoo = yahooyaba6319
Stack Overflow = soyaba6319
It isn’t perfect but it is a heck of a lot better than using the
same password everywhere.
orly? If I admin’d gmail and saw that your password was gmailyaba6319 and that you also had a yahoo email address, I know which password I would be trying first.
While your version may be slightly more obfuscated, applying any pattern to your passwords is weakening them. And since you admit to using KeePass and rarely entering them by hand, you could just as easily be using something random and strong.
The word you’ve entered isn’t in the dictionary. Click on a spelling suggestion below or try again using the search bar above.
Like I said, it ain’t a dictionary word! It might be in cracking tables somewhere, but it isn’t a dictionary word, at least not of the type you can use in Scrabble without getting challenged…
Will this user come forward to claim the Stack Overflow Hacker badge? I don’t see any wrongdoing against SO or you, since they were nice enough to point out the vulnerability and demonstrate it. You also got two good blog posts out of it. I could imagine the owner of the other site (the one the hacker helps out at, that doesn’t salt their passwords) might be a little upset if (when?) word gets out that they were hacked by a trusted volunteer, but it sounds like they were warned about using salt awhile back.