• 10
• 9
• 12
• 14
• 15
• entries
191
861
• views
117382

SECURITY!

186 views

Someone hacked my website's forums, unfortunately it was back in January sometime and I only found out about it this week.

The guy apparently knew I never checked it, because he publicly gloated about it and even said he's looking forward to ruining my life once he cracked my forum password, assuming I used the same password for everything.

I 'kind of sort of' used the same password. Basically I have 5 levels of security, based on how strongly I feel a site is secured combined with how important the data is to me, and use a different password for each level. Fortunately, the forum used my lowest level password.

Since it's been almost 2 months, and nothing else of mine has been hacked, I'm guessing he hasn't cracked the password yet.

PHPBB uses MD5 hashes for the password. I checked all publicly available MD5 reverse lookups, and my password appeared on none of them, being a combination of non-word characters and random numbers. So I guess I'm covered there.

But to be safe, I went ahead and switched everything over to much longer and even more random passwords, now with 7 levels.

Much to my chagrin, there's a lot of things out there that have maximum password sizes. For example, one of the important sites that I deal with has a maximum password size of 8 characters. What the hell is up with that? (Yes, my old password for that site was 8 characters. Yes, I now know that 8 is much too small).

Wow, that's astounding. I never realized how weak most sites out there are when it comes to protecting your passwords.

Am I the only one who takes security at least somewhat seriously? For my recently developed financial manager software, I store files in a GZipped, then AES encrypted file. Passwords must be AT LEAST 8 characters long. I use the 256-bit key version of the algorithm where I salt and hash the password before applying it.

Hell, for BetterMUD 2, a game that I most likely will not finish, I use salted SHA256 passwords, and over the weekend, had a serious inclination to switch it to SHA512 instead.

Furthermore, it scares me that some sites even put in restrictions that they think will make your password more secure, but in reality actually makes it easier to crack! For example, there's a site that says:

1) You must have at least one upper-case letter in your password.
2) You must have at least one lower-case letter in your password.

Brilliant. Now everyone knows that they don't have to check all-lowercase, all-uppercase, all-letter, all-digit passwords, and passwords with less than two digits. You just made it EASIER to break in! Furthermore, when you impose rules like that, you just know that most people are going to capitalize the first letter, leave the rest lowercase, and tack on a number at the end, so you really haven't done anything at all!

And finally, the thing that scares me the most:

Why are ATM pins only 4 DIGITS? What braindead moron thought that this could possibly be a form of security?

PS. My calendar still looks like some kind of a fish.

PPS. That wasn't intentional.

My ATM PIN is nine digits.

Speaking of security:

and you might want to check your hashes against
rainbow tables too. Not that a detremined enough soul can be stopped, you can try to find a hash that is near the end of the computation of the table.

[IIRC]

The 8 character limit might exist because old windows passwords [NT4 compatable] truncated anything beyond when making the hash.

Thus 'foobiemo' and 'foobiemonkey5123456RTY&\$' hashed identically and were accepted for each other. Oops.

And of course, terrible web apps will also sometimes store it in a DB and make the field a limited set of characters, but that's less interesting.

This is all coming from a guy who was proud of having cheated at my games last week.

"I don't need to practice what I preach, because I'm not the kind of person I'm preaching to." -- J.R. "Bob" Dobbs

Your typical low-end commercial website operator views security as overhead which is of relatively low importance (especially compared to, say, sales). They also tend to hire lowest-bidder site creators that either also don't care about security or don't understand it and screw it up.

mid- and high-end operators are in no way immune to this sort of mindset as well. However it does tend to cost them more if they get burned so it's more likely that they will give it the importance it deserves during the intitial design and then turn it all over to a junior programmer who doesn't understand it and screws it up.

:P

*cough*Gamedev*cough*

:)

You'd be sickend about how inscure alot of sites are.

action=login&dom_id=2&u_login=_____&u_password=_______
//^^ Pulled from Gamedev's traffic via Ethereal.


now, multiply that by the number of non-ssl web apps you use (every single PHP based anything in existance)

Ugh, we should just kill all the asshats who spend time doing that kind of shit. Seriously, if they're not going to be constructive, they should just fall off the internet.

* falls off the internet

It's stupid that script kiddies try to "hack" these sites. What do they accomplish? They're wasting their own time, as well as someone elses. Go do yourself, and the world, a favour and kill yourself.