Sign in to follow this  
  • entries
    191
  • comments
    861
  • views
    116954

SECURITY!

Sign in to follow this  
Mithrandir

165 views

Someone hacked my website's forums, unfortunately it was back in January sometime and I only found out about it this week.

The guy apparently knew I never checked it, because he publicly gloated about it and even said he's looking forward to ruining my life once he cracked my forum password, assuming I used the same password for everything.

I 'kind of sort of' used the same password. Basically I have 5 levels of security, based on how strongly I feel a site is secured combined with how important the data is to me, and use a different password for each level. Fortunately, the forum used my lowest level password.

Since it's been almost 2 months, and nothing else of mine has been hacked, I'm guessing he hasn't cracked the password yet.

PHPBB uses MD5 hashes for the password. I checked all publicly available MD5 reverse lookups, and my password appeared on none of them, being a combination of non-word characters and random numbers. So I guess I'm covered there.


But to be safe, I went ahead and switched everything over to much longer and even more random passwords, now with 7 levels.


Much to my chagrin, there's a lot of things out there that have maximum password sizes. For example, one of the important sites that I deal with has a maximum password size of 8 characters. What the hell is up with that? (Yes, my old password for that site was 8 characters. Yes, I now know that 8 is much too small).


Furthermore, I'm scared by the sheer number of sites out there that store my password somewhere in a retrievable format. "Click here if you forgot your password and we'll send you your old password in plaintext to your e-mail address! Ha Ha! Security!".

Wow, that's astounding. I never realized how weak most sites out there are when it comes to protecting your passwords.


Am I the only one who takes security at least somewhat seriously? For my recently developed financial manager software, I store files in a GZipped, then AES encrypted file. Passwords must be AT LEAST 8 characters long. I use the 256-bit key version of the algorithm where I salt and hash the password before applying it.

Hell, for BetterMUD 2, a game that I most likely will not finish, I use salted SHA256 passwords, and over the weekend, had a serious inclination to switch it to SHA512 instead.


Furthermore, it scares me that some sites even put in restrictions that they think will make your password more secure, but in reality actually makes it easier to crack! For example, there's a site that says:

1) You must have at least one upper-case letter in your password.
2) You must have at least one lower-case letter in your password.
3) You must have at least 2 digits in your password.


Brilliant. Now everyone knows that they don't have to check all-lowercase, all-uppercase, all-letter, all-digit passwords, and passwords with less than two digits. You just made it EASIER to break in! Furthermore, when you impose rules like that, you just know that most people are going to capitalize the first letter, leave the rest lowercase, and tack on a number at the end, so you really haven't done anything at all!



And finally, the thing that scares me the most:

Why are ATM pins only 4 DIGITS? What braindead moron thought that this could possibly be a form of security?






PS. My calendar still looks like some kind of a fish.


PPS. That wasn't intentional.
Sign in to follow this  


8 Comments


Recommended Comments

[IIRC]

The 8 character limit might exist because old windows passwords [NT4 compatable] truncated anything beyond when making the hash.

Thus 'foobiemo' and 'foobiemonkey5123456RTY&$$$' hashed identically and were accepted for each other. Oops.

And of course, terrible web apps will also sometimes store it in a DB and make the field a limited set of characters, but that's less interesting.

Share this comment


Link to comment
This is all coming from a guy who was proud of having cheated at my games last week.


"I don't need to practice what I preach, because I'm not the kind of person I'm preaching to." -- J.R. "Bob" Dobbs

Share this comment


Link to comment
Your typical low-end commercial website operator views security as overhead which is of relatively low importance (especially compared to, say, sales). They also tend to hire lowest-bidder site creators that either also don't care about security or don't understand it and screw it up.

mid- and high-end operators are in no way immune to this sort of mindset as well. However it does tend to cost them more if they get burned so it's more likely that they will give it the importance it deserves during the intitial design and then turn it all over to a junior programmer who doesn't understand it and screws it up.

Share this comment


Link to comment
:P

Get this, how often do you log into a website that transmits your username/password in the clear to get a session up and running?

*cough*Gamedev*cough*

:)

You'd be sickend about how inscure alot of sites are.


action=login&dom_id=2&u_login=_____&u_password=_______
//^^ Pulled from Gamedev's traffic via Ethereal.


now, multiply that by the number of non-ssl web apps you use (every single PHP based anything in existance)

Share this comment


Link to comment
Ugh, we should just kill all the asshats who spend time doing that kind of shit. Seriously, if they're not going to be constructive, they should just fall off the internet.

* falls off the internet

Share this comment


Link to comment
It's stupid that script kiddies try to "hack" these sites. What do they accomplish? They're wasting their own time, as well as someone elses. Go do yourself, and the world, a favour and kill yourself.

Share this comment


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now