topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Saturday December 7, 2024, 3:23 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: How I'd Hack Your Weak Passwords  (Read 21490 times)

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
How I'd Hack Your Weak Passwords
« on: April 01, 2010, 06:14 AM »
Stop whatever you are doing and read this article. Then go fix your password issues. Don't wait till tomorrow or next week, do it now.

   * You probably use the same password for lots of stuff right?
    * Some sites you access such as your Bank or work VPN probably have pretty decent security, so I'm not going to attack them.
    * However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you've shopped at might not be as well prepared. So those are the ones I'd work on.
    * So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
    * Once we've got several login+password pairings we can then go back and test them on targeted sites.
    * But wait? How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser's cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker's computer, and the speed of the hacker's Internet connection.


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #1 on: April 01, 2010, 08:21 AM »
It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already.  If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password.  Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.

They have a point, but it's not as big of a deal as it used to be.

gexecuter

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 252
  • Move over and give us some room...
    • View Profile
    • Elite Freeware
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #2 on: April 01, 2010, 08:43 AM »
I use Keepass to handle my password generation, i suggest all of you do the same because it's pretty handy.
Mouser is made of win and awesome!

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #3 on: April 01, 2010, 10:01 AM »
I'm happy to believe my common password isn't human guessable, but I'd say it is bruteforce-able. I don't use it for any site which deal with money but still if someone guessed it there'd probably be a way to go from it to some of what I'd consider by more secure passwords.

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #4 on: April 01, 2010, 10:11 AM »
It still wouldn't work in most cases today... that's why banks have the authorization questions and pins in place, because they figured this out already.  If you try to login from a computer that the user hasn't already used, you'll get one of a series of questions before you get in... questions that are based on the user, not the password.  Then, if your bank is extremely paranoid like mine is, you'll have to enter a pin before you do anything after that.

They have a point, but it's not as big of a deal as it used to be.

Sites like Paypal aren't as paranoid as your bank, but access to a site like that could be just as devastating for some people, considering Paypal accounts are usually tied to checking and/or credit card accounts, and may also contain a cash balance, sometimes a large one if you run a business that accepts payments through Paypal.

How about hijacking your domain name?

How about gaining access to your account at the site you have your car insurance, changing the address, phone number etc, and then canceling your insurance and asking for a refund on unused premiums?

There is a whole lot more than just access to your bank's website to worry about, and a lot of those sites are not as paranoid about security.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #5 on: April 01, 2010, 10:49 AM »
Paypal actually does have checks and balances (which I've run afoul of several times), but point taken, even though I never activate online access to most of those other services...

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #6 on: April 01, 2010, 11:04 AM »
paypal has a wonderful and cheap hardware security key that generates one-time use pins that can be required for login.  i wish my bank and credit card account was so secure.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #7 on: April 01, 2010, 11:12 AM »
And an (over?) zealous fraud department that calls me all the time  :huh:

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #8 on: April 01, 2010, 12:22 PM »
paypal has a wonderful and cheap hardware security key that generates one-time use pins that can be required for login.  i wish my bank and credit card account was so secure.


Most people don't know about that hardware key.

AOL has a similar key that can protect your account and email, if you use their service. The key is required on accounts for all AOL employees (and they get it for free), and optional for their customers, who get charged for each one. And each screen name needs it's own key, so to fully protect an account containing 7 screen names, it would cost you $140 initially for setup and the hardware devices, and $1.95/month to continue using it. It's not something they advertised all that much, and if you want it you'd have to already know it exists through some other means of finding out about it (like reading this post) and then contacting their customer service and asking how to get one. (this is why adoption by their users has been considered a failure...nobody knows it's available)

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,069
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #9 on: April 01, 2010, 02:58 PM »
My business bank account demands you login as normal and then to access account info you have to use a device that that looks like a calculator which you have to insert your debit card, use your card pin in the device and it creates a unique 8 digit code for that session. Very effective - and even puts me off using online banking because it is so convoluted!
« Last Edit: April 01, 2010, 03:00 PM by Carol Haynes »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #10 on: April 02, 2010, 03:13 PM »
FWIW  ;)

Spoiler
WB.jpg


KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,761
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #11 on: April 03, 2010, 04:31 PM »
My business bank account demands you login as normal and then to access account info you have to use a device that that looks like a calculator which you have to insert your debit card, use your card pin in the device and it creates a unique 8 digit code for that session. Very effective - and even puts me off using online banking because it is so convoluted!
-Carol Haynes (April 01, 2010, 02:58 PM)

I have that same system, from Barclays PLC Business Banking, and one for my personal accounts.  It also annoys me enough that I have used online banking ONCE to check out the system, then decided it was quicker and easier to find a cash machine!

Ashraf

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 46
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #12 on: April 03, 2010, 08:36 PM »
I don't know if anyone noticed but that article is over 3 years old. LH just had the author copy and paste it onto LH - it is nothing new. So, yes some techniques may be outdated.

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,761
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #13 on: April 03, 2010, 08:43 PM »
Outdated or not, old, or brand spanking new, this is still a good subject to touch upon from time to time.

People who are not exactly tech savvy will find this a very interesting read indeed and even those of us who do know what we are doing, sometimes need reminding to choose passwords people cant simply guess or bruteforce, and to stop us using the same passwords for everything.

wreckedcarzz

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,626
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #14 on: April 10, 2010, 01:35 PM »
I use Keepass to handle my password generation, i suggest all of you do the same because it's pretty handy.

:up: same here, works great

clemo1

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 3
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #15 on: April 11, 2010, 01:00 AM »
I use 'Key Scrambler' but it only scrambles and decodes against keyloggers.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,776
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #16 on: December 14, 2010, 04:34 AM »
http://lifehacker.co...-your-weak-passwords

Oh the Irony! My LifeHacker (Gawker) account was just compromised, and the login details were used to get into my (old) Gmail account and send spam to everyone in my contact list.

wreckedcarzz

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,626
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #17 on: December 14, 2010, 07:18 AM »
Oh the Irony! My LifeHacker (Gawker) account was just compromised, and the login details were used to get into my (old) Gmail account and send spam to everyone in my contact list.
:( can you recover them? Recovery questions and whatnot? Or get a new password via the 'forgot your password?' system?

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #18 on: December 14, 2010, 07:26 AM »
Once again app103 alerted us ahead of time, and if you had listened to her you would be safe.
Lesson: LIST TO APP103 when she posts something!

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #19 on: December 14, 2010, 09:32 AM »
Interesting little note: How To Safely Store A Password.

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

And that’s without investing anything.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #20 on: December 14, 2010, 10:34 AM »
Eóin: bcrypt or pbkdf2... when will the world learn? ZOMG I CAN ROLL MY OWN SUPERSECURE USER VALIDATION SYSTEMS!!1!oneoneeleven!
- carpe noctem

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #21 on: December 14, 2010, 06:10 PM »
Interesting little note: How To Safely Store A Password.

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

And that’s without investing anything.

For easy to remember but stronger passwords, pass-phrases are great.

The scale there is logarithmic, so if you use a pass-phrase, each character beyond 6 multiplies the brute force time by 10. So:

thisismyphrase

has 14 characters, and would take 40 seconds * (14 chars - 6 chars)^10 seconds, or 40 * 100,000,000 seconds = 126.755059 years.

A dictionary pass-phrase attack could cut that time down, but is more complex.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #22 on: December 15, 2010, 09:14 AM »
It's better than that Renegade, for lowercase alphanumeric, each additional character increases the search space by 36 (26 letters + 10 digits).

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,776
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #23 on: December 15, 2010, 02:12 PM »
Oh the Irony! My LifeHacker (Gawker) account was just compromised, and the login details were used to get into my (old) Gmail account and send spam to everyone in my contact list.
:( can you recover them? Recovery questions and whatnot? Or get a new password via the 'forgot your password?' system?

My login details were not changed. In fact, I think my account wasn't actually logged into by a person. I think my credentials were just used to authenticate a robot to grab my contact list and mass send spam to 10 people at a time (or whatever) without actually signing in to the Gmail website. But that's just a guess. I could be completely wrong about that.

But anyway, yeah, I just signed in, Google alerted me of suspicious activity and recommended to me that I should change my password, which I did. I also removed everybody from my contact list since I don't use that account anymore (for sending e-mail), in case it somehow gets compromised again.

Now I'm using a password manager and going crazy with the password generator. So far I've generated passwords using Alphanumerics + Special Characters that were anywhere from the "lowly" 20 to "insane" amount of 40 characters long. Now I just have to hope beyond hope that my password manager never loses it's database or becomes compromised.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: How I’d Hack Your Weak Passwords
« Reply #24 on: December 15, 2010, 02:15 PM »
^ That really sucks.  I wish there was some way to hold people responsible for this kind of stuff accountable for their actions. :(  I've never been really paranoid about my passwords... but I'm getting there.  I just don't want to use a password generator/manager.  I started along that path with 1Password, but just never got to the using it part.  :-[  I do like the idea of using a passphrase, though.