I Just Logged In As You: How It Happened

One password to rule them all: http://passwordmaker.org/

I use it for everything EXCEPT important sites where I want to change the password. For my Google account for instance, roughly every year I generate a random 10 letter string (IOW (2*26)^10 possibilites) that I store in my wallet and somewhere at home. I obfuscate it slightly so that you can’t use it directly should you steal it :slight_smile:

The only problem with this is that some BRAIN DEAD website restrict the characters you can use for a password. But the MOST brain dead websites are those – and they exist – where they force stupid requirements on you while restricting the chars you can use, or the length. Ingram Micro for example is particularly annoying.

@Remi:

From what I understood, Jeff used the same password for his OpenID as he did for this (non-OpenID-using) website. The attacker stole the hashed password from the second website, unhashed it, and then tested it against his OpenID to see if Jeff was reusing passwords.

OpenID isn’t the vulnerability - Jeff reusing passwords is.

In college I used to make money with that same trick. Hack a website that pays people with their paypal account, then use the password they registered with and attempt to log into their paypal account.

Some sites 1 in 3 would work, others 1 in 10.

Same things applies for many MMORP, hack a forum for a guild. And start trying passwords they used on the forum. Success rate is lower than the paypal and egold trick above, but selling their characters goods is way easier.

But…it wasn’t the fact that the passwords weren’t salted that let him get it.

It was the fact that he was a trusted individual and obviously should not have been.

Since he was helping out–I assume as a programmer–he could just as easily have temporarily trojan’ed the log-in screen and got the password that way. Or made a fake log-in screen.

You salt passwords so if someone outside of your trusted group gets a hold of the file, it makes their attack harder. It doesn’t help against an inside job.

This guy just shouldn’t be allowed on any project.

While we are all waiting for the mythical promised land of OpenID everywhere, isn’t it smarter to

NOT USE THE SAME PASSWORD AT EVERY SITE YOU REGISTER FOR???

:slight_smile:

A pain in the ass, yes, which is why I use pwdhash. (It’s a firefox extension.) It lets you have per-site passwords by entering, essentially, hash(site_domain + your_password) into password fields, rather than a straight password.

I think you’re being a overly melodramatic in your crusade against people rolling their own user authentication systems.

Seriously, it is not that hard. The fact that many incompetent people try to do it and fail doesn’t make it hard. I’m seriously amazed that so many people in this industry fail at something so simple to do.

You make it sound like people trying to roll their own encryption algorithm. Encryption should not under any circumstances be self-developed unless a) you are an expert and b) you submit your work for peer review.

Things aren’t nearly so dire for setting up a user authentication system.

1: Generate a random salt value of sufficient length, 8 or more bytes is fine
2: Concatenate salt to user supplied password
3: Hash user combined salt + password with SHA-1 or better
4: Store salt and hash in the database
5: Use SSL for transmitting authentication details

That’s it. If any programmer out there can’t follow these simple, easy steps to secure their user accounts, they should find some other line of work - say, a waiter or a janitor.

OpenID is great for the convenience factor, but acting like anyone that doesn’t outsource their authentication system is an idiot who is doing it wrong because it’s so hard to do that noone else could possibly be doing it right is silly and downright incorrect.

Can someone link to one of these hash reversing websites?

Unfortunatley, in the real world, who doesn’t reuse passwords? Surely you can’t expect everyday Joe to keep track of 500 different passwords for all their sites they’ve signed up to.

This reminds me of the old days, first dot-com era, and for kicks we’d log into people’s hotmail accounts because everyone used the same password for our service as their hotmail accounts.

Scary how easy it is for a provider of web services to potentially access your other services, especially if you don’t use different passwords.

Moral of the story, use different passwords for different sites. It’s unpractical for the average person, but as a techie, I don’t have problems using one of the many third-party tools (KeePass)that manage login/password data. You also can’t trust the webservice you’re using to handle it appropriately on the backend.

It was quidjibo wasn’t it?

Here’s how I choose my passwords these days, so they don’t repeat too often and yet I have a clue of what it ought to be by context.

My password has 8 characters.

The first two are two meaningful letters I took from the domain name’s URL. So, slashdot.com, I use the s and the d from the two syllables.

Next I use four letters of which one is capitalized. The four letters are not dictionary words but can be hacker speak words. Like this, F11n for fun. I could use this fun snippet for sites that relate to fun stuff like gaming.

Finally, the last two letters are actually two numbers to indicate the number of characters the domain name’s meaningful part contains, so for slashdot I count 8. Pad it with a 0 and have 08.

So my password for slashdot becomes sdF11n08.

And for OSNews it becomes onF11n06.

And so on. It at least discourages people from easily reusing my password for other sites should they have access to them.

I do something similar to what Whaledawg does.

  1. Pick a word or character combination that describes the site in question: so=Stack Overflow, gmail=Google Mail, yahoo=Yahoo.

  2. Pick a constant character string to use in all passwords that can be remembered. yaba6319

  3. Concatenate them. You now have a pretty difficult password to break that is also different for each site.

Google mail = gmailyaba6319
Yahoo = yahooyaba6319
Stack Overflow = soyaba6319

It isn’t perfect but it is a heck of a lot better than using the same password everywhere.

OpenID is not the silver bullet for this problem. Developers are still going to have to write good password storage solutions. Why?

  1. People don’t want their operation-critical web applications to depend on a third party. If an OpenID provider suddenly goes down (or belly-up) or has their own security breach, there’s nothing they can do. By being their own authentication provider, they avoid this.

  2. When I explain to a client what OpenID is, you know what he hears? That idiot Kathy in accounting is going to have the same login for my mission-critical application as she does for her Facebook account that got hacked last week.

So, no, I don’t think I’ll be getting out of the business of storing user credentials anytime soon. But that’s okay, because I know how to do it correctly. And while I can’t protect every user of every app from doing stupid things, I can advise my clients on what they should be doing. If they don’t follow my advice, well, I’ve done what I can. Just like Jeff’s OpenID provider did when they told him not to use the same password on more than one system.

Excellent read… slightly degraded I’m sure to hide the total truth, but fun nevertheless; Horror at its peak, huh? :slight_smile:

What’s better is the comments coming in about the informative tips and such – keep 'em coming!

Cheers

By the way, I agree that this is a major let down. It’s real but not very sexy. I suppose if the guy was living across the street and was using binoculars to see the yellow post it notes pasted to your computer with your password written on them you wouldn’t have bothered posting about it.

At what point do you decide that this is a programming issue and not just a user being stupid and a hacker being lucky?

Wait, so you use the same exact password on the site as what you used with your openid provider? Who’s fault is that? Several browsers can remember any password regardless how complex, should not be reusing.

Quick test:

  1. Generate the MD5sum of your password (e.g. http://www.md5generator.com/ )
  2. Google it

If it finds it you’re already in trouble. MD5 reversing websites are even more likely to find it; try http://md5.rednoize.com for example.

PHPBB2 stores passwords unsalted. (3 is a lot better.)

I also run my passwords I need to be secure through a few reverse-hash websites, just to ensure that it’s not stored somewhere

Sounds a bit unsafe. If I ran a reverse-hash website, I’d probably go and add to my rainbow tables all the passwords that someone has already searched for on my same search engine.
Also, I hope s/he used HTTPS to connect to the reverse-hash website. ^^

@Anon who said: @Matt (and others with similar rules) you will get 0wn3d

Not as easily as Jeff did. Anyone can be 0wn3d (what are you, a teeny bopper?). The goal is simply to make it significantly harder for the hackers yet easy enough on yourself so that it isn’t a nuisance. Jeff is a celebrity. I’m not. I don’t have to worry about someone tracking my usage across multiple sites. None of the passwords I generate exist in the online MD5 databases. And I make my variable part cryptic enough to where people aren’t going to see the pattern. I’m not going to say how I do it but it is easy enough. You simply need something that you can easily remember for each site.

We needed to create a secure password hashing algorithm for a project and create multi platform/programming language implementations for easy integration.

That requirement created FSHP (Fairly Secure Hashed Passwords)

Fairly Secure Hashed Password (FSHP) is a salted, iteratively hashed password hashing implementation. Design principle is similar with PBKDF1 specification in RFC 2898 (a.k.a: PKCS #5: Password-Based Cryptography Specification Version 2.0)

FSHP allows choosing the salt length, number of iterations and the underlying cryptographic hash function among SHA-1 and SHA-2 (256, 384, 512).

You can reach Python, Ruby, Perl, PHP and Java implementations of it at GitHub (http://github.com/bdd/fshp)

It’s also available in PyPI, Rubyforge and CPAN. You can easily install with:
Python: easy_install fshp
Ruby: gem install fshp
Perl: perl -MCPAN -e ‘install Crypt::FSHP’

But this is kind of circular.

I would love to use and contribute to StackOverflow.com, but I hate OpenID. If my OpenID password gets owned, then I’m owned on several sites. If StackOverflow.com had it’s own password scheme, and it got lost, then I’d lose only my StackOverflow.com identity. Nothing else would be at risk, since I use different passwords for different sites.