Even the SQL injection thing doesn’t hold water, because passwords should never be stored as cleartext. They should be salted and hashed, and stored that way. And hashed strings don’t have any "s or 's.
True, but then you don’t get to link to xkcd.
I am very computer savvy (network admin), use strong passwords and used to work in network operations at AOL and still use AOL.
The biggest hole for security at AOL was keyloggers and phishing sites back when I worked there. The security folks at AOL were damned good. Sadly a reasonable number of the users would fall for anything. Note, that is not just an AOL problem, it is a problem everywhere. Kevin Mitnick claims he got into SCO, PacBell, FBI, Pentagon, Novell, CA DMV, USC and the Los Angeles Unified School District using social engineering. In other words, he talked people into giving him the passwords. I believe him.
Heck, even at my present job I have people offer up their passwords to me over the phone without verifying that I am who I say I am. This is without me asking. I tell them a) I can change their password anytime I like so they don’t need to give it to me, if I need to get in I’ll change it and let them change it back* later and b) never, ever offer anyone their password.
Slee
*Of course, due to our password requirements they cannot change it back to the original password so we rarely do this.
My bank uses very small easy passwords. My college system however has the most complex system ever for passwords. They are over extreme. Im glad sombody can take a loan out in my name but they wont be able to sign me up for classes!
Your college too? If you password isn’t something like zK7j3o274ffB on mine it will NEVER let you use it. I suppose that’s a good thing if you’re like me and others who memorize it, but it just causes most people to write it down in their notebook or something :smack:.
There was a memo circulating around the university a few years ago, saying that it’d come to their attention that some folks were using weak passwords for their Banner accounts, and reminding everyone to use strong passwords, with at least eight characters, including letters, numbers, and symbols, etc. All well and good, except that the only passwords Banner would allow were six-digit numbers. Letters aren’t even possible.
To make matters worse, everyone has to change their Banner passwords every so often. It’s security theater, which has no effect other than to guarantee that a lot of folks will be forced to write down their passwords or choose something they can remember. Myself, I rotate between various physical constants, my birthdate, and the number of licks it takes to get to the Tootsie Roll center of a Tootsie Pop.
I was interested in exactly this many years ago (mid '90s.) First off, AOL was brute-forceable back then but they fixed that before the turn of the century. I knew a guy who wrote some software that would brute force AOL passwords. You could load a ~60,000 item list into it and it’d run through it in a couple hours. It was almost every word in the dictionary plus some common names, common word/number combinations, etc. Back then, this was sufficient to crack virtually anybody’s password. I cracked my friends, my parents, etc, just for fun. I would always tell them about it or do something dumb like write funny stuff in their profile or send silly emails to themselves so they knew it was me.
But the funny thing was, I knew some shady characters who gathered random AOL names en masse to crack them and use them to send spam, and they didn’t bother with the huge password lists. They got more accounts than they could ever use just with 5 words: love, password, abc123, and 1234.
That’s why they make you choose more secure passwords these days.
And FTR I have NO idea how you’d do it these days and don’t care. I’m far beyond the age at which I thought it was a novelty and I have no desire to do anything nefarious with other people’s information.
I think the limited-length, reduced-character-set password routines are leftovers from days of yore, when storage was tight, security was lax and the Internet not available to most. You know, back when men were men and sheep were nervous.
Easiest way would be keylogger sent via email, especially if it can be sent from the gf or someone he knows. “Hey check out this hilarious video!” Attach an .exe and off you go.
This trick still works and will probably forever work. The storm botnet was built using this trick.
There was a very interesting segment on NPR just a couple days ago on this. Link here: Hackers Have It Easy : NPR
Short version: The password recovery is the first and easiest step. That’s how Sarah Palin’s Yahoo account was hacked last year. If that doesn’t work, brute force to a POP or IMAP account might work, or attempt to get a keylogger installed. The interesting thing here is that having a strong password only helps in one of those three attacks.
A good password written down is much much much better than a week password memorized. The big risk for banks and school etc. is that someone away from you will log into your accounts and mess with them.
But when you do password recovery it just sends the password to a different email account. How did they get into that one?
Not always. Sometimes it asks you for the answer to the secret question and lets you reset the password right there. That’s how Hotmail used to do it (or may very well still do it, for all I know.)
Right, it asks you stuff like “what high school did you go to.” For someone like Sarah Palin, thats public information. If its someone you know then its just as easy.
Another form of social hacking is to setup a questionnaire site, IQ site, ‘If you were a car, you’d be a xyz!’ type site, and send them a link. Make them register to get the results (Email, username, password, etc). You’d be suprised how often people use the same password over and over at different sites. If they create a password at your site and you have an email address, you’ve got a good shot they match up.
But it’s much easier to lose something that’s written down. And if I’ve ever seen you log in, I probably know where you keep it.
I agree with you on a bank account. But a school account? How often would that be just some random person? Perhaps more common than I realize?