Today Threatpost sent me to a news article about the fact that Twitter is protecting against bad passwords by checking for them. And, the list of bad passwords is contained right in the source of the signup page. (Line 282 in the current source of that page.) This raises two questions in my mind: 1) Where did twitter get this list? Was it their own creation, or is it based on, say, the 370 most commonly used passwords on twitter? Is Twitter making any users which use one of these passwords change their password? If I were to say, hack the source of the signup page, could I still sign up with a ‘banned’ password? 2) What passwords *should* be[…]
Category: passwords
All of us are terrible at remembering passwords, causing us to find convenient ways to make logging on to our Twitter, bank, and other online accounts a bit easier and much less secure. Users combat password fatigue by using the same password for all of their accounts, selecting short and weak passwords, or creating bad compliant passwords. There is a simple way to make sure that your passwords you don’t use often or care about too much a bit more secure than “PoisonRocks1” – like the hair bands of the 80s, just forget about them. Don’t remember those passwords; just reset them each time you need to log in to the account. Before you get alarmed at what I’m proposing,[…]
Recently, I was buying a bottle of wine at the grocery store and was asked to show my ID. My license picture was taken about 4 years ago, when I was 20-30 lbs lighter and before I started shaving my head, so it doesn’t look all that much like me anymore. The clerk was skeptical, and he asked me to show another form of ID, which I provided by showing him a few credit cards. Apparently, that was enough to convince him that I was who the license said I was. What if I had just stolen someone’s wallet, though? I would have easily been able to produce credit cards that accompanied the license in the wallet. Showing that extra[…]
If you haven’t heard of OpenID, I suggest you create a livejournal account, and start seeing where you can log into with your live journal credentials. You can also go read more about it at openid.net. The basic premise is a distributed authentication system that allows a user to select their authentication provider when they log into various web sites. The hitch is that you and the site you’re wanting to log into have to use a mutually agreeable authentication provider. When OpenID was first announced, it touted that you could run your own OpenID server, and then you’d never have to give your password to the site you’re logging into, only the site (which you trust) that you’re authenticating[…]
Not long ago, I posted about snooping admins and suggested some ways to prevent them from abusing their positions. Today, we have an example of an administrator who used his powers to prevent other admins from logging into the network. Terry Childs, who had become disgruntled over discipline for poor performance, reconfigured the network so that only he had access. He has refused to surrender the password for his account, and at the time the linked article was written, work was still being done to regain access to the network. So, we can add this to the list of things to be wary of when handing out permissions to administrators. It looks like they knew about a month ago that[…]
Jeff over at Coding Horror lashed out at the MENSA web site today, after discovering that their web site uses a presumably weak password storage mechanism that stores passwords in a recoverable format. The main point is that because the passwords can be retrieved by the application and sent back to the users, then they must be stored in a way that would allow an attacker to obtain a list of all (or some) of the passwords in the system. One primary reason that this is seen as a bad thing is that many users use the same password for all of their various accounts, and therefore if the password is compromised in one place, it’s compromised everywhere. Apparently, according[…]