I thought these accounts block the entire account, not just people trying to login from certain IP addresses. Am I incorrect in my understanding?
Let’s be frank, anyone who is computer savvy and chooses good passwords to begin with doesn’t use AOL. Chances are the guy had a very easy to guess password, one that they could probably do a dictionary attack with and be in in a relatively short amount of time. I dunno if AOL has anti-brute-force measures in use, but it seems like they could alternatively get his password from AOL Instant Messenger if it lets you repeatedly log-in.
Alternatively AOL could have a password reset service that asks personal questions that his girlfriend could have provided to the hackers.
Hmmm…it seems Hotmail no longer blocks access, just makes you go through CAPTCHAs, but if you go back to the main hotmail.com webpage, you can bypass the CAPTCHA (although if you get the password wrong, it’ll throw you straight to the CAPTCHA page, which you can get out of by going back to hotmail.com). I swear this used to not be the case, that you were blocked out, and for more than just 15 minutes at a time.
Usually those send to another email defined in the profile though (either the old password or utter gibberish).
I’m not sure, which I stated near the end. It is a good question, one I’ve never encountered for obvious reasons, anyone have a laptop or something and live where they can pick up a public network their normal comp isn’t part of who wants to try?
D’oh
Looking online, I found some posts from 2004 that indicate that Hotmail did indeed block the entire account for many hours at a time. It seems they no longer do this, as this same forum was full of complaints about Hotmail having such security procedures (and how easy it would be to screw somebody’s access up by incorrectly logging into their account multiple times.)
Okay, now on the exploit issue here’s one that I’m going to be very vague about. It wouldn’t work for a foreign company that does this for just anyone, but if you were knowledgeable enough you could pull it off with little more than waiting until they’re on a public network (or can get on THEIR network somehow, if they’re not tech savvy this means sitting in a car outside their house and looking for the network named “Linksys”). It basically boils down to (again, being vague) using a couple network monitoring programs to “hijack” the cookie. Once you do that you’re treated as if you’re either on the webpage logged in right now or always logged in (depending on whether they accidentally clicked that “remember me” box or not). I know this works for Gmail, and I’m sure if you knew the right names it probably works for others. This only gets you in, not the password, but if you’re in the password would probably flow pretty easily.
Note that you can actually get a lot of hacking info from security sites, often of the mantra that the best way to protect yourself is to know your weak points. These have… varying degrees of believability in that mantra, but oftentimes hacks will be released soon after they’re fixed so that people can see what people are coming up with nowadays. I think there was a huge hack in Chrome a while back (something with javascript and switching IPs in the middle I think?) that a respected security guy found that didn’t really have the explicits released until it was fixed. So if you’re wondering how they used to do it it’s pretty easy to find usually.
Email is probably one of the least secure of these if I had to guess.
This is why my password is 21 characters long and completely random numbers letters and symbols. Brute forcing or just guessing is easy. Not to long ago I had to work on my moms laptop she left me, she didnt tell me she had a password for it. I was able to guess the password the 2nd try. First try was right I just forgot to capitalize the first letter! If you know somebody well enough you can guess
On the other hand, if you ONLY consider six-letter words, all lower-case, like most people would choose, then you’re down to about 300 million. And much less than that if it’s just words. Most people don’t put any effort at all into password security.
I am computer savvy, use strong passwords and I use AOL.
Perhaps I have a criminal mind, perhaps not. If I were to try to hack an account, I would try to trigger the “Forgot Your Password?” function with the e-mail address. Or is that too simple?
Regards,
Shodan
You could do that, but that would mean you could lock out anyone just by passing in a couple of wrong passwords, which would break down the system very very quickly.
It is also frightening…flat out terrifying in fact…how many people use one of a handful of passwords.
Just this list:
sex, god, jesus, love, password, (repeat username)
Would probably crack 5-10% of the email accounts in existence.
Don’t forget about folks leaving the password field blank, either.
As noted above that will generally send the reset password to said email address. Unless you can read their email to begin with you won’t get your hands on the pwd.
The combination is 1 2 3 4.
Remind me to change the combination on my luggage.
I am often confronted with password-protected sites that still put a maximum length at 8 characters and don’t allow non-alpha or non-numeric characters. Banks, even.
I have always found this restriction bizarre in the extreme, along with the one restricting certain characters from being used in passwords. Are these people storing passwords as filenames in a FAT16 system or something? Do their servers run MS-DOS? Their tech staff would have to be monumentally incompetent to include these kinds of restrictions in their passwords.
This drives me up a wall, too. I’ve been using punctuation and other non-alphanumeric characters in my passwords since 1993, and a suprisingly high percentage of sites in 2009 do not allow this. Why in the hell isn’t the entire character set available for passwords? And, like you, I’ve encountered sites that limit your password to like 6-10 characters.
I still cannot even grasp why they do this at all. I guess you could sort of make a weak case for the character limit in terms of space if you get a lot of hits (though I think most String objects are pretty uniform in that regard nowadays, wouldn’t bet on that though). But non-standard characters? It can’t make it any bit harder to check the password, it’s a stringInput.equals(stringOutput) check, are the programmers that afraid the characters won’t get escaped correctly when someone decides to reenact xkcd?