- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I once had an opportunity to crack a password on an .arc file (remember PKARC?) Well, .arc encryption was a simple cyclic XOR of the compressed file with the password. That made it vulnerable to a known plaintext attack, especially if the file inside wasn't compressed at all. I was able to easily find the first four characters of the password, they turned out to be "hasl". Tried "haslo", worked like a charm.
The catch? This happened in Poland, "haslo" is Polish for "password", and the file I was trying to crack belonged to a Computer Science university lecturer with a Doctorate degree. (Before you report me to the police, this happened almost 20 years ago, I knew up front that the file contained no information useful to me personally, and I only released this information back to the lecturer.)
Admin
Stuff email!
Worked in a place where the helpdesk routinely used to ask the users to write their passwords down on post-it notes, so the helpdesk could log in to the users PC to sort out problems. The number of post-its I saw stuck around helpdesk PCs with usernames and passwords written on them! Probably nothing compared to the number of post-its that simply got tossed in the wastepaper baskets at the end of the day!
Admin
Featured ++
Admin
No, that's not what happened at all. He was pretty much universally know as "big boy" for his entire college career. Even if you tried using his real name when talking to somebody else, they typically wouldn't know who you were talking about until you said "you know, big boy!". Having said that, he was never the kind of guy who was going to mix well with others anyway. A more confident person could have probably laughed it off.
Admin
Admin
Actually I read it more like:
Man provides "I" to Dev, Dev produces "V", "V" appears to be promotable to "U" so Dev goes to "T" to get "V" on "U", however "T" includes Man who questions Dev about "I" making noise that "I" isn't good enough for "V" to be promoted to "U" which means that Dev won't get "S" and Man manages to make claim "Y". To prove claim "Y" Man then goes to an external trusted arbiter of knowlege "Google" and "Google" returns "I". So in effect Man was correct in requesting "I" while professing that the only good "V" would include "X" which as his role within "T" would demand rather than "I" which his role within "R" required.
Succinct don't you think?
Admin
Cat-Crouton Engine. Want.
Admin
(As for Alex, a spell-check would go a long way, but hey, who the hell am i to suggest you kill your own private lulz factory? Keep up the good work, indeed! :D )
Admin
Admin
Banks in the UK probably are often doing it very wrong, but in the case of the "give us the 2nd, 3rd, and 5th character" check it's a (necessary) anti-phishing mechanism; and there's always (IME) at least two other identifiers required, which tend to be completely unrelated to your account numbers, of which one (you hope) is appropriately hashed.
Admin
"I checked, and it turns out you were right," is not a WTF. Quickly catching an error is the next best thing to not making an error at all.
On the other hand,
Is the point here: A) The Software Advisory Committee is sexist; B) Michael P. is sexist; C) The author of the article is sexist; D) All of the aboveAdmin
Admin
The appropriate approach is to send someone a link that they can easily follow, with a time-limited session ID/token in it (e.g. that expires after 24 hours) and where they can set their own password.
Some advantages:
It doesn't nuke the existing account password (which can happen maliciously or by accident, such as a user typing in their username wrongly and inadvertently triggering a password reset for another similarly named account).
It's more memorable, because the user chooses the password, not just one that's assigned to them.
It's more secure - it expires after a short time period, so if someone is snooping through their email later they won't be able to use it to login to there account without the original account holder knowing.
It's actually easier. You don't have to temporarily memorise or copy/paste one form the email, then hunt for the "change my password" option to change it to something you can actually remember. All you do is follow a link in the email and type in a password you want.
... and of Moronic sites like Friends Reunited send you part of your password in plain text periodically, even if you don't ask them to "just in case you forgot" (and ITV wonder why it was a > £100 Million pound loss bucket of fail).
Admin
Passwords are a funny thing. In a computer architecture class about five or six years ago, one of our teachers logged into his Unix account while giving a lecture, using a projector.
The clicking of keys suggested that his password could be his last name, and being the curious type I tried it out from my laptop. Sure enough, a second later I was logged in.
Not thinking twice I did, "touch ~/my_password_sucks_ass" (in Danish, though), and waited for him to list his home directory contents.
When he did and that nice new file was shown in 100+ inches on the wall, a moment of silence pursued, then just a few scattered semi-laughs were heard. For some reason, in my milliseconds of actually thinking this over before doing it, I had imagined a roar of laughs, possible a medal, a Nobel prize, or some other kind of trophy for my glorious feat. Most definitely a pat on the back from my teacher, grateful for teaching him "one or two things about security".
Of course, what the other students knew better than me in my moment of recklessness, was that this lecturer was not the type who took jokes on his behalf lightly.
He just looked out at us from beneath his massive brows, and said, "He who did this will not like it when I find out who he is."
I almost had a heart attack. If he hadn't been short-sighted, I'm sure he would have spotted my bright red face right then and there. To this day, I still fear the wrath of him finding out it was me.
I seriously hope he doesn't read TDWTF. Or that he's dead.
Admin
It relies on timing.
An emailed password - the user might never change it. It goes across the wire, possibly captured along the way. Later, hacker dude finds and uses email, empties bank account.
With the emailed password, the user is almost certainly clicking refresh in their mail waiting for it, will click it instantly and set the password themselves.
When done properly this link expires after this event, and will time out automatically after a while if it is not used.
The window of opportunity for using the information is now a lot smaller.
It's not perfect, but it is better than clear text.
Admin
Admin
Sending HTML Emails?
Now that IS unprofessional.
Admin
You're telling us that someone this side of the nineteenth century actually implemented a Vigenere cipher for security as opposed to entertainment? In any given Cryptography-for-Kids textbook, it is likely to appear just after ROT13. Whoa.
Admin
Also, if an attacker requests a password reset, breaks into your inbox and uses then deletes it, you'll know because your password has changed. It may only be as secure as your email account, but it's inherently tamper-proof.
Admin
Actually, implementing breadcrumbs while the site is still that simple is better than doing it after there is a lot to unpick, just as repairing a roof even though it isn't raining (yet) is better than doing it once the rain is coming through (unless you need that for diagnostics to spot the damage, I suppose). It depends on whether there's a realistic chance the site will get more elaborate.
Admin
Admin
Admin
The would be the Dubya card.
Admin
Sure, but imagine how much it costs the bank to send out keyboards.
Admin
Thank you, Mr. Obama. Now...don't you have an economy to ruin?
Admin