I Just Logged In As You

I received this anonymous email a few days ago:

You may be wondering why I'm e-mailing you personally, rather than team@stackoverflow.com. It'll make sense when I reveal the hole, which is...


This is a companion discussion topic for the original blog entry at: http://www.codinghorror.com/blog/2009/05/i-just-logged-in-as-you.html

OK, this is a TRULY random guess, is it t;AoVD061MBWm=NX6V+u?

hm, maybe password was… bufferoverflow? g

stackunderflow?

vistarocks?

diggthis#$@%!

Teasers suck.

2nd for fakeplasticrock

I’m going to guess Joshua or some other trivia from the movie War Games, since on your SO user profile page you have a screenshot from the movie (and Joshua was the backdoor password to WOPR).

I suppose that the good-will-hacker has access to the passwords of another side where you are registered as an user…

3ee70r4Ng323 (leetorange23 with leet speek) is, and should always be, considered a dictionary password. Changing a letter for a number is not secure, case and 2 numbers at beginning or end is already checked when brute-forcing hashes.

Take a dictionary, whatever the language (hell, I still have the 300Mb dictionary from back when I was working in security, containing japanese and russian romanization of words and common websites URLs), and whatever the case, leet speek and/or 3 numbers at beginning/end, it’s still part of the dictionary. Period.

Disclaimer: I’m not that guy.

I don’t get it.

What’s the point to having multiple OpenIDs anyway? I thought the point was that you don’t need a different username and password for every site.

Now you need a super-secret OpenID for important sites and a different OpenID that’s only a bit secret for sites where it wouldn’t matter if everyone knew your password anyway?

Even if the hacker just guessed the password, it all seems kinda pointless.

Also, how many times do people have to be told that you log in as administrator when you’re administering and log in as a regular user when doing regular user stuff, which implies that a person who both uses and administers a site should have, say, two freaking accounts?

How hard would that be, anyway? Really? Can’t be done?

And for a completely insane and ridiculous suggestion that no sensible person would ever consider, perhaps even use some advanced high-tech security like public key based client authentication? Fine, your regular users won’t want to deal with that, but presumably the guys running the site aren’t your typical vegetables, and could cope. Then the site admin accounts would be even more secure than they are now.

I would guess that, on another website that either this person moderates or has access to, your password is being stored as a plaintext value in their database. He followed your internet trail back to this blog, at which point all he needed was the openID provider.

I would guess that, on another website that either this person moderates or has access to, your password is being stored as a plaintext value in their database. He followed your internet trail back to this blog, at which point all he needed was the openID provider.

Was it swordfish?

Jeff, how many times did your ethical hacker fail at logging in under your name before succeeding?

My guess is wumpus as well.

‘I drive a 1998 Ford Contour.’

Wow, that might be the nicest thing a stranger will ever do for you. I certainly wouldn’t punish him (her?!). And it probably deserves the secret hacker badge; probably not for technical prowess, but for the true hacker ethic.

Maybe a dictionary attack that covers all the typical number substitutions for letters, i.e. 0range, or App1e.

Oh right, and all you guys that are talking about dictionary attacks look to be off the mark. The email itself says it:

I had a possible password; today your blog post revealed the openid provider. I logged in, freaked out that it actually worked, then logged out.

He already had the password - there was no need for a dictionary attack - all he needed to know was the openid provider (probably google) and then he could log in using his google credentials, not to mention he could probably check his email, and all that other good stuff that google gives you.

Since openID passwords are encrypted, this hacker most likely picked up the hash value from IP traffic and then went to one of the sites which allow you decrypt MD5 by a little bit of brute force. Since we know that password was a dictionary word, brute force could have been quite gentle in this case.

sixtoeightweeks