Comment On Foiled by the Dictionary

Flogging a dead horse, perhaps? Wonder if they managed to get off all those spam lists in the end....

Rather than talk to the users directly, James sent an email to his boss. He provided instructions on how each user could select their own unique password, stressed the importance of proper security.

Yeah, good job sending an e-mail to your boss when he complains that he can't log into his e-mail!

He emailed his boss, not the client.

Yeah, I figured it was something like that but couldn't figure out why he would e-mail his own boss a lecture on password security.

And besides, I thought the clients were the boss ;-)

Am I missing something?

TFA says "He changed passwords as fast as he could type".

This is a guy who claims to be able to write scripts...

So why didn't he?

Outlaw Programmer:

Yeah, I figured it was something like that but couldn't figure out why he would e-mail his own boss a lecture on password security.

And besides, I thought the clients were the boss ;-)

In a case like this, it's far easier to talk to your boss than the clients. Usually, the boss will have some more soothing language for the client than I would ("What the hell were you morons thinking?" would be the first thing out of my mouth :) )

Anyway, I'd usually tell the boss and let him deliver it to the client.

GreyWolf:

Am I missing something?
TFA says "He changed passwords as fast as he could type".
This is a guy who claims to be able to write scripts...
So why didn't he?

There were only 30 users, IMHO thats on the cusp of
time to do it by hand vs time to write and test a script

Write a script to change passwords for only 30 users?

How fast can you write a script ?

I see the users went back to their old passwords. This is where you go into ass-covering mode.

1. Email them explaining the problem and what may happen if they don't behave.
2. Save a copy of the email somewhere safe.
3. Wait till it happens again.
4. Slap email copy on client's face (metaphorically speaking unfortunately).
5. Satisfaction!!

The only reason he should have written a script is because it looks like he's going to have to change everyone's password again...and again...and again.

To continue the WTF is why he was able to read their passwords. I would assume that's because the passwords weren't hashed (or if they were there was no salt modifier).

/sigh

Joshua Moore:

To continue the WTF is why he was able to read their passwords. I would assume that's because the passwords weren't hashed (or if they were there was no salt modifier).

/sigh

mmhmm... nice assumption. note it was *never* stated that he read the passwords. He could have done something simple like logged on with the old password to check if it was changed to something different.

there's also password tools like john the ripper out there...

Deprived of their original password choice, the users began choosing alternates:

chains
leather
dominatrix
spikeheels
fishnet
catoninetails
spankmemama
...etc.

Since that particular password was obviously already compromised, it should not have been a big deal for him to specify that they couldn't use it again, and programatically enforce that restriction.

In fact, given that he knew that spammers had cracked the site before, and would likely try again, he would have been well served to put in restrictions to prevent them from using dictionary words as passwords. In fact, I'd say given the circumstances that failure to do so was negligent, given that he did nothing of substance to try and prevent future attacks of the same kind.

Erik:

Since that particular password was obviously already compromised, it should not have been a big deal for him to specify that they couldn't use it again, and programatically enforce that restriction.

In fact, given that he knew that spammers had cracked the site before, and would likely try again, he would have been well served to put in restrictions to prevent them from using dictionary words as passwords. In fact, I'd say given the circumstances that failure to do so was negligent, given that he did nothing of substance to try and prevent future attacks of the same kind.

He didn't write the software. It clearly states in the article that the software provided did not allow for any sort of password restrictions or rules. Given the tools he had, I wouldn't say he did anything negligent. Then again, maybe it was time for new tools.

Dan:

Flogging a dead horse, perhaps? Wonder if they managed to get off all those spam lists in the end....

One does not get off a spam list. Once a spammee, always a spammee.

Michael Lush:

GreyWolf:

Am I missing something?
TFA says "He changed passwords as fast as he could type".
This is a guy who claims to be able to write scripts...
So why didn't he?

There were only 30 users, IMHO thats on the cusp of
time to do it by hand vs time to write and test a script

Michael, in those circs you take time to TEST the script?
You am the man.

ATTENTION:

The new global account password for WTF is: tnemmoc.

This is why I have a random password generator. Takes snippets from /usr/share/dict, slaps 'em together, ends it with two digits. I'd do more, and make it a more difficult password, but people complain about this, and instead of them following company policy on passwords (not my policy, comes from way higher up) back when I let people pick their own, they picked things like their kids' names, their spouses' names, and unhackable words like 'dog.'

Sometimes BOFH behavior is there to save people from themselves.

regeya:

This is why I have a random password generator. Takes snippets from /usr/share/dict, slaps 'em together, ends it with two digits. I'd do more, and make it a more difficult password, but people complain about this, and instead of them following company policy on passwords (not my policy, comes from way higher up) back when I let people pick their own, they picked things like their kids' names, their spouses' names, and unhackable words like 'dog.'

Sometimes BOFH behavior is there to save people from themselves.

You know even a spouses name can be made somewhat more secure if people would only try a little harder. Let's use my login name for example:
I want my password to be KattMan
I hax0r it into K477M4n
mix of upper and lower, with numbers and letters. I know it isn't really strong but it isn't real easy either. Most basic users can remember most of these.

When I have make new passwords for myself, the process goes like this:

1) Take a reasonable sized piece of the password generated from GRC's password generator
2) Put password on stick-it note on my monitor ZOMG
3) Get rid of stick-it after one week, by then just let my subconscious take care of typing it without me thinking about it

What's the company's name/website? I need to... uh... email my grandmother...

[User takes gun, aims at toe, shoots]
User: Hmmm, not quite what I had in mind.
Tech: Don't aim at your foot!
User: Let me try again. [Aims at next toe...]

Sounds like they suffered backscatter from all the NDRs, I doubt they "got signed up on lists" but more likely got flooded with NDRs and bounce messages.

Sam:

When I have make new passwords for myself, the process goes like this:

1) Take a reasonable sized piece of the password generated from GRC's password generator
2) Put password on stick-it note on my monitor ZOMG
3) Get rid of stick-it after one week, by then just let my subconscious take care of typing it without me thinking about it

After you get used to type it subconsiously, NEVER TRY TO RECALL IT. If you do, you're screwed.

Some helpful facts

Fact #1: Password cracking is usually done by computer programs
Fact #2: It is possible to write computer programs to do astonishing things such as find/replace, including the extraordinarily complex transform from regular text into 1337sp33k.

Your not making anything any better at all. Any dictionary attack won't be slowed down in the slightest by your inane encoding.

regeya:

This is why I have a random password generator. [....] instead of them following company policy on passwords (not my policy, comes from way higher up) back when I let people pick their own, they picked things like their kids' names, their spouses' names, and unhackable words like 'dog.'

That's why it is important to enforce the policy on the server. Of course the BOFH policy here is to do something insane, like require 10 characters, at least 1 lower case, 1 upper case, 2 digits, and 2 special characters, maximum age of 30 days, and your passwords can't contain the same 4-character sequence as anything in your last 500 passwords.

DOA:

I see the users went back to their old passwords. This is where you go into ass-covering mode.

1. Email them explaining the problem and what may happen if they don't behave.
2. Save a copy of the email somewhere safe.
3. Wait till it happens again.
4. Slap email copy on client's face (metaphorically speaking unfortunately).

5. ???
6. Pro- no, I just can't do it.

TRWTF is a web host doing while-u-wait telephone tech support...

Sounds like this client was completely FLOGGED UP

regeya:

This is why I have a random password generator. Takes snippets from /usr/share/dict, slaps 'em together, ends it with two digits.

sudo apt-get install apg

Whatever:

Some helpful facts

Fact #1: Password cracking is usually done by computer programs
Fact #2: It is possible to write computer programs to do astonishing things such as find/replace, including the extraordinarily complex transform from regular text into 1337sp33k.

Your not making anything any better at all. Any dictionary attack won't be slowed down in the slightest by your inane encoding.

Actually, it will. The typical attack program will first test a "common passwords" list (10,000 passwords or so), then a dictionary (100,000 words or so), then mangled versions of the first two (100,000,000 passwords or so). If they've got access to the hashed password list, it'll take ten seconds rather than a millisecond, but if they're attacking over the internet, it may delay things several months.

Walter:

Write a script to change passwords for only 30 users? How fast can you write a script ?

If that system is only halfway decent and has a method do set the passwords on the command-line, it should be something like

for u in `list-user-command` ; do

   PWD=`pwgen -1`

   echo "$u $PWD" >>new-passwords.txt

   set-user-password $u $PWD

done

I'd never do something by hand for more than say 10 recurrences. It's just much too easy to get distracted or make typos. And above snippet, written in one line, takes no longer than 10 seconds or so to type.

Back when I was in college the main system that people had shell/email accounts on used to run a background process which would actively try to hack people's passwords using dictionary attacks, etc. If your password proved to be vulnerable in this way then you were forced to change it ASAP or your account would be deactivated. I always thought this was a pretty slick way of enforcing password security (more than, say, artificial "complexity" requirements).

GreyWolf:

Michael Lush:

GreyWolf:

Am I missing something?
TFA says "He changed passwords as fast as he could type".
This is a guy who claims to be able to write scripts...
So why didn't he?

There were only 30 users, IMHO thats on the cusp of
time to do it by hand vs time to write and test a script

Michael, in those circs you take time to TEST the script?
You am the man.

Passwords are very sensitive. Write a script that does something seriously wrong one time, and you'll start testing all your scripts. It only makes sense, especially if the consequences of a screwed up script will cause major issues.

Michael Lush:

GreyWolf:

Am I missing something?
TFA says "He changed passwords as fast as he could type".
This is a guy who claims to be able to write scripts...
So why didn't he?

There were only 30 users, IMHO thats on the cusp of
time to do it by hand vs time to write and test a script

I don't think so...5 or 6 users is the threshold. In ksh, I would just type this into the shell:

$ while read username filler; do
> passwd -u $username -p akj280si
> done < users.txt

Obviously you have to figure out how to generate the new passwords (assigning the same pass to each user isn't good), but you have to do that anyway, so I don't subtract that time from this method.

It could be a configuration issue, but he was ensured by the hosting company that they'd be set up for a reasonable amount of email...

I apologize for my nitpickiness (since NONE of the commenters ever nitpick) but shouldn't that probably be "assured" instead of "ensured?"

Nick:

It could be a configuration issue, but he was ensured by the hosting company that they'd be set up for a reasonable amount of email...

I apologize for my nitpickiness (since NONE of the commenters ever nitpick) but shouldn't that probably be "assured" instead of "ensured?"

You are completely correct. Good catch.

I remember when I was in college we went through student orientation. At one point we had to pick a username and password. We had requirements on the password, had to be 8 characters, no dictionary words, etc. The instructor gave an example: Use the your initials followed by your zip code. So, for instance you'd end up with something like ABC12345. I picked a password (not my initials and zip code) and went on thinking nothing of it. A couple of years later I saw my friend logging in. I noticed he hit 3 letters then the rest of the password was numbers. So I said hey, is your password your initials and zip code? Yep, he said how did you know? And it gets worse, the university had a student directory available to the public that showed first, middle, and last names as well as address. And it had a really great search feature. You could find any student you wanted to and get the initials and zip code in no time. I was curious and picked a hand full of students at random and tried logging in with the initials and zip code password and the success rate was over 50%. It seems that every year each orientation group was given the same password example. Talk about killing password security.

Fnord:

Joshua Moore:

To continue the WTF is why he was able to read their passwords. I would assume that's because the passwords weren't hashed (or if they were there was no salt modifier).

/sigh

mmhmm... nice assumption. note it was *never* stated that he read the passwords. He could have done something simple like logged on with the old password to check if it was changed to something different.

there's also password tools like john the ripper out there...

Point taken. Guess I hadn't had enough coffee to kick start my brain. Just seemed odd to me still...

Walter:

Write a script to change passwords for only 30 users?

How fast can you write a script ?

Pretty much anyone who has ever scripted already has a password changing script written... It's usually one of the first scripts you write

Outlaw Programmer:

The only reason he should have written a script is because it looks like he's going to have to change everyone's password again...and again...and again.

Or, if he could write the script faster than he could generate, record, and set thirty users' passwords--I know I could (at least, with a system that has decent command line tools). I learned a long time ago that scripting is not merely for reuse, it is also for speed.

A. Cube:

Outlaw Programmer:

The only reason he should have written a script is because it looks like he's going to have to change everyone's password again...and again...and again.

Or, if he could write the script faster than he could generate, record, and set thirty users' passwords--I know I could (at least, with a system that has decent command line tools). I learned a long time ago that scripting is not merely for reuse, it is also for speed.

You're all assuming the email system is scriptable... (or at least easily scriptable).

Whatever:

Fact #1: Password cracking is usually done by computer programs

... gives me a nice and easy-to-recall password of F#1:Pciu that looks pretty impervious to dictionary attacks (and could be longer). To strengthen this scheme, introduce captitalization of key words (or use another language than English).

Robin Goodfellow:

Back when I was in college the main system that people had shell/email accounts on used to run a background process which would actively try to hack people's passwords using dictionary attacks, etc. If your password proved to be vulnerable in this way then you were forced to change it ASAP or your account would be deactivated. I always thought this was a pretty slick way of enforcing password security (more than, say, artificial "complexity" requirements).

Our university claimed to do this, but then a few people got their hands on the password list and started cracking it themselves (purely as an educational exercise) the first one took about 20 minutes, within a day or two they had a couple of dozen including a couple of staff accounts (this was back in the day, cracking more than 1 pw/day was pretty good).

I love mashed up song lyrics for passwords:
i@M+th3_m4|\|-1n+t|-|E_|30x!

Feel free to use that one.

gregmac:

regeya:

This is why I have a random password generator. [....] instead of them following company policy on passwords (not my policy, comes from way higher up) back when I let people pick their own, they picked things like their kids' names, their spouses' names, and unhackable words like 'dog.'

That's why it is important to enforce the policy on the server. Of course the BOFH policy here is to do something insane, like require 10 characters, at least 1 lower case, 1 upper case, 2 digits, and 2 special characters, maximum age of 30 days, and your passwords can't contain the same 4-character sequence as anything in your last 500 passwords.

The policy you have listed is only a slight exaggeration of the current password policy for my place of employment. Just when you start to remember the incredibly complex password you carefully crafted to meet the requirements it is time to change it again.. and forget about using any of the ones you spent so much time making in the past.

Why is everyone asuming it's (easily) possible to write a script for whatever arcane email solution they're using?


Depending on how important it is, my password is 20-some character long alphanumeric string, including my very first Dail-up password, PIN number, D&Dmonster and first Student number. Used unly for important truecrypt files, and laptop passwords.

vereor me!

Nothing to be lost by simply setting all of their passwords to the same value, again, and then requiring them to change them.
UPDATE Users SET Password = 'tchaynje m3'

At least on SQL-backed systems (which most email software is capable of)...

gregmac:

That's why it is important to enforce the policy on the server. Of course the BOFH policy here is to do something insane, like require 10 characters, at least 1 lower case, 1 upper case, 2 digits, and 2 special characters, maximum age of 30 days, and your passwords can't contain the same 4-character sequence as anything in your last 500 passwords.

Heh. The joke's on the BOFH, because those insane requirements actually make the system less secure. If I know that the minimum password length is 10 characters, and has at least 2 digits, 2 special characters, 1 uppercase, and 1 lowercase letter, I suddenly have a lot fewer permutations to brute force than if the BOFH simply disallowed dictionary words but and set the minimum password length to, say, 5-6 characters.

My effing god!!!! If there was ever a case where the public good demanded that the offender's identity be revealed...

"We'll all share the same password, 'flog'"?!?!?!

These imbeciles should be beaten with large blunt objects if they EVER venture too close to a computer again! And for their own good too, how long until everyone in Nigeria knows their credit card numbers?

As good netizens is it ethical to allow these plagues upon the entire internet community to continue their destructive ways?