Main Area and Open Discussion > Living Room

How I'd Hack Your Weak Passwords

(1/6) > >>

app103:
Stop whatever you are doing and read this article. Then go fix your password issues. Don't wait till tomorrow or next week, do it now.

   * You probably use the same password for lots of stuff right?
    * Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
    * However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
    * So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
    * Once we've got several login+password pairings we can then go back and test them on targeted sites.
    * But wait? How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's Internet connection.
--- End quote ---


http://lifehacker.com/5505400/how-id-hack-your-weak-passwords

wraith808:
It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already.  If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password.  Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.

They have a point, but it's not as big of a deal as it used to be.

gexecuter:
I use Keepass to handle my password generation, i suggest all of you do the same because it's pretty handy.

Eóin:
I'm happy to believe my common password isn't human guessable, but I'd say it is bruteforce-able. I don't use it for any site which deal with money but still if someone guessed it there'd probably be a way to go from it to some of what I'd consider by more secure passwords.

app103:
It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already.  If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password.  Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.

They have a point, but it's not as big of a deal as it used to be.
-wraith808 (April 01, 2010, 08:21 AM)
--- End quote ---

Sites like Paypal aren't as paranoid as your bank, but access to a site like that could be just as devastating for some people, considering Paypal accounts are usually tied to checking and/or credit card accounts, and may also contain a cash balance, sometimes a large one if you run a business that accepts payments through Paypal.

How about hijacking your domain name?

How about gaining access to your account at the site you have your car insurance, changing the address, phone number etc, and then canceling your insurance and asking for a refund on unused premiums?

There is a whole lot more than just access to your bank's website to worry about, and a lot of those sites are not as paranoid about security.

Navigation

[0] Message Index

[#] Next page