This is why I do password mixing. I have a seed word I use, lets say ‘Burp’. Then I choose a word for each login that makes sense, in the case of say my yahoo account ‘Mail’. Then I have a 4 digit pin of, say, ‘5621’.
My yahoo mail password would be ‘BM5ua6ri2pl1’. And if that seems really difficult to type it is, but I use KeePass portable. It’s a passord database that fits on a thumb drive and runs anywhere, so I hardly ever have to enter it myself.
I work with security software. Occasionally, I get an inside peek at how some our customers (Fortune 500, banks, governments, etc.) have dealt with security issues. Many are doing an OK job, and getting better all the time. But some… I’m telling you, it’s frightening, really. They are so clueless that they cannot even begin to understand how bad their situation is.
It’s the same with developers. Some are so clueless about security that they don’t even realize how little they know. You tell them to salt your passwords to prevent dictionary attacks and all they hear is blah blah passwords blah blah blah blah.
When people talk about dictionaries in reference to password cracking, they don’t literally mean your copy of websters. Your password was vulnerable to a dictionary-based attack which is the important part. Who knows why… probably replacing some common letters with number or symbols. The important part is that any time you base your password on a word(s) in the dictionary you’re vastly reducing the number of possible passwords that need to be checked.
I’ve started to use PasswordMaker for FF and SeaMonkey. It will store the password for you too. I use multiple Master Passwords, so it does get fun guessing at what is the password for the application. Some of them I’m able to figure out if I’ve entered the wrong Master Password because I make some association with a word with each password I use so I can spot the wrong ones.
Uh, Malte said: The most likely cause was that you used it on his site and he is logging passwords or saving them un-hashed. He didn’t say anything about reverse lookup on the hash.
Ha! I can do you one better. I once worked on a web application that didn’t even hash the passwords. They were just plain text in the database. So I immediately suggested that we hash and salt the password to increase security, but there was a feature on the application to email the user their password if they had forgotten it. I explained that had to change, because we would no longer be able to retrieve the password, since it would be hashed. Instead, we would email them a link to where they could reset their password. They thought this would be an inconvenience to the users. So to prove how big a problem this was, I picked the first user in the database that had an @yahoo.com email address, went to mail.yahoo.com and used the same password they were using for our site. Sure enough, we were logged right in.
MD5 is hashing algorithm, not an encryption scheme. Two words can produce same MD5 hash, it is called MD5 collision. For more information, Google is ur friend, http://www.google.com/search?q=md5+collision
I can’t help but notice that the problem was not yours, but the OpenID provider - should they have been salting their passwords prior to storing? In which case, outsourcing your authentication may be some good advice, but certainly no guarantee.
I use 1Password for Mac and iPhone. It’s been a long time since I had to type other than my master password, and the password generator can create impossible to decipher monsters (if that’s what you need).
Frankly, I thought that it would be more interesting than that. Come on, the guy sent a second mail to explain the hack just for the freaking l33t-51t badge! And wtf was There’s a site I help out with that doesn’t salt their passwords … I was able to figure out you were a user on the site some time back !? And finally, oh!, it was some programmer’s fault, but wait I am a programmer, does this mean that I’m a l33t-51t hacka!?
Tim, I wouldn’t classify marcoslot’s attack and openId weakness but just another phishing attack. Entering your password on a non-provider site is just plain silly (it does point out a usability issue with openid but not a security risk)
This is one of the reasons I’m now advocating foaf+ssl. It’s a more elegant scheme using browser certificates instead of passwords. You can combine it with OpenID to improve on security.