A couple of weeks ago at work I registered on a password-protected website. Since then, I’ve been able to log on from my work computer with no problem. (Yes, it is a work-friendly site.)
Over the weekend I tried to log on from my home computer. I kept getting the message that my password was invalid. Now I’m pretty sure I know what my password is, but perhaps I hit a typo or a misplaced capital letter or some damn thing when I typed it.
I emailed the “lost your password?” field, but the website hasn’t responded.
I looked in the Cookie file on my work computer. The site’s there, but the cookie is a long string of numbers, no text.
Is there anyway I can figure out just what the hell I typed, in case the site never responds to my desperate queries?
Cracking passwords is a topic the mods are unlikely to let slide, but you might handle this without doing anything nefarious. The site is using a cookie as a “remember me” tool to keep you logged in, so you can probably just copy that cookie entry from your work computer to your home computer. Barring that, you’ll need to wait for the website to respond to your forgotten password query.
It is very unlikely that the cookie on your computer actually contains your password, even in hashed form. That would be fairly bad design on their part. It’s more likely to be a random string like a server-generated session ID that they record in your cookie and in their database to keep a session alive between visits.
Nope. And if the Lost Password link didn’t respond, it may be be because you mistyped your email address as well. About the only things you can do are 1) copy the work cookie to disk and put it in the appropriate folder on your home computer, 2) email the webmaster or suppoert person and explain the situation, or 3) sign up with a new account and start over again.
A hash is only as secure as the underlying password. Dictionary attacks will succeed easily on bad passwords and fail on good ones.
It’s bad design in general because it puts all the info you need for a dictionary attack on an unsecured channel. Even sites which use SSL for the login phase may switch to unsecured URLs for content once you’re authenticated. The cookie gets included in every HTTP query, so anyone monitoring traffic can assemble their own password file just by looking at these cookies. SDMB doesn’t use SSL for logins (though they do appear to hash the password in client-side code) so it’s kind of a moot point in this case. This is a pretty low priority threat, but there are better ways to handle it.
Agreed. Which is why banks and other sites which really do need good security don’t use cookies as logins. But for most uses, cookies with hashed passwords are plenty secure. It’s not like someone can drain my bank account or forge my identity if they manage to crack my SDMB account.
But the OP wasn’t talking about SDMB. We have no way of knowing how secure the site they were visiting was, and my comment was simply intended to warn them that trying to crack the cookie might be pointless because it is wrong to assume the password is even there. It might be, but it might not.
I’m not criticizing SDMB’s technique at all because, as you point out, the risk is low. That doesn’t mean the OP can necessarily apply what works at SDMB to all other sites.