I Just Logged In As You: How It Happened

This is why I do password mixing. I have a seed word I use, lets say ‘Burp’. Then I choose a word for each login that makes sense, in the case of say my yahoo account ‘Mail’. Then I have a 4 digit pin of, say, ‘5621’.

My yahoo mail password would be ‘BM5ua6ri2pl1’. And if that seems really difficult to type it is, but I use KeePass portable. It’s a passord database that fits on a thumb drive and runs anywhere, so I hardly ever have to enter it myself.

I work with security software. Occasionally, I get an inside peek at how some our customers (Fortune 500, banks, governments, etc.) have dealt with security issues. Many are doing an OK job, and getting better all the time. But some… I’m telling you, it’s frightening, really. They are so clueless that they cannot even begin to understand how bad their situation is.

It’s the same with developers. Some are so clueless about security that they don’t even realize how little they know. You tell them to salt your passwords to prevent dictionary attacks and all they hear is blah blah passwords blah blah blah blah.

When people talk about dictionaries in reference to password cracking, they don’t literally mean your copy of websters. Your password was vulnerable to a dictionary-based attack which is the important part. Who knows why… probably replacing some common letters with number or symbols. The important part is that any time you base your password on a word(s) in the dictionary you’re vastly reducing the number of possible passwords that need to be checked.

So if Malte was right, who to blame? The guy that logged in as you made an even bigger mistake (could have been a setup).

http://xenoterracide.blogspot.com/2009/05/jeff-attwood-fails-at-password-security.html I decided to write out what I thought of this post and what I feel are inaccuacies.

I’ve started to use PasswordMaker for FF and SeaMonkey. It will store the password for you too. I use multiple Master Passwords, so it does get fun guessing at what is the password for the application. Some of them I’m able to figure out if I’ve entered the wrong Master Password because I make some association with a word with each password I use so I can spot the wrong ones.

I believe that passwords became invalid with the advent of the internet. They can not be made safe nor secure.

Everyone (including Jeff) please read http://marcoslot.net/apps/openid/ and some other info on OpenID to see how it’s a giant security risk.

Back in the day we spoofed the unix login with a csh script to steal passwords. Same thing works in OpenID.

Uh, Malte said: The most likely cause was that you used it on his site and he is logging passwords or saving them un-hashed. He didn’t say anything about reverse lookup on the hash.

Ha! I can do you one better. I once worked on a web application that didn’t even hash the passwords. They were just plain text in the database. So I immediately suggested that we hash and salt the password to increase security, but there was a feature on the application to email the user their password if they had forgotten it. I explained that had to change, because we would no longer be able to retrieve the password, since it would be hashed. Instead, we would email them a link to where they could reset their password. They thought this would be an inconvenience to the users. So to prove how big a problem this was, I picked the first user in the database that had an @yahoo.com email address, went to mail.yahoo.com and used the same password they were using for our site. Sure enough, we were logged right in.

I just use the Password Maker plugin for Firefox, I only have to remember the one password, and no website gets my private key (salt really).

MD5 is hashing algorithm, not an encryption scheme. Two words can produce same MD5 hash, it is called MD5 collision. For more information, Google is ur friend, http://www.google.com/search?q=md5+collision

I’d just google the password. If it returns a result, I’d consider it a dictionary word.

NikNak the clown comes to mind from an earlier post. People in glass houses…

I can’t help but notice that the problem was not yours, but the OpenID provider - should they have been salting their passwords prior to storing? In which case, outsourcing your authentication may be some good advice, but certainly no guarantee.

Have I misunderstood something?


I use 1Password for Mac and iPhone. It’s been a long time since I had to type other than my master password, and the password generator can create impossible to decipher monsters (if that’s what you need).

Frankly, I thought that it would be more interesting than that. Come on, the guy sent a second mail to explain the hack just for the freaking l33t-51t badge! And wtf was There’s a site I help out with that doesn’t salt their passwords … I was able to figure out you were a user on the site some time back !? And finally, oh!, it was some programmer’s fault, but wait I am a programmer, does this mean that I’m a l33t-51t hacka!?

(I’m just a bit disappointed.)

I am having a hard time taking an article on inaccuacies seriously. Also, while we are speaking of inaccuracies, you could spell my name correctly…

Tim, I wouldn’t classify marcoslot’s attack and openId weakness but just another phishing attack. Entering your password on a non-provider site is just plain silly (it does point out a usability issue with openid but not a security risk)

This is one of the reasons I’m now advocating foaf+ssl. It’s a more elegant scheme using browser certificates instead of passwords. You can combine it with OpenID to improve on security.