Excuse Me, May I Borrow Your Passwords?
Some time ago, I was one of the most prolific contributors to one of the most popular
newsgroups on usenet. The newsgroup's purpose was to provide fraudulently-obtained,
but valid, passwords for websites.
The process there is fairly straightforward: someone posts the web site address of a
site that they want (free and illegal) access to. Several group members with colorful
nicknames then "run" the site. If a valid username/password is found, it is emailed
to the requestor, who in turn publicly heaps praise on the grantor, thus inflating
his or her ego. My colorful nickname was "PassBandit", and I have a few tips for you.
The web site password authentication process is chock full of security flaws. And
wherever there are security flaws, there are scads of both real- and wannabe-hackers
trying to exploit them.
One of those flaws is the ability of a user to enter an infinite combination of
usernames and passwords without ever being locked out by the web site. As it was
relevant to "PassBandit", this flaw allowed him to run a software application that
automatically tries usernames and passwords, from a supplied list, then reads whether
the combination was successful by the electronic reply received from the web site.
The program simultaneously tried 70 different combinations, which gave a rate of
attempts in the several-hundred-per-second range. If a particular combination didn't
work, the application simply tried another combination. And another. And another,
until it found a combination that worked.
Of course, there are some sites - not very many - that I couldn't get into. And, some
sites were harder than others. However, every site that I did get into had one thing
in common: at least one user that made a stupid (make that "ill-informed") choice of
a username and password.
Once a username and password have been compromised, and when (not if) it is eventually
discovered, most sites will instantly close the account. This eliminates the
fraudulent use of that password, but also screws the poor fool who actually paid for
access to the site.
Here are some tips to ensure that your account is not the weak account that the other
"PassBandit"s of the world compromise:
• The password is more important than the username. Do not assume that because
you have an unusual username (including email addresses) that you can choose a simple password.
I'd say that at about 2-3% of the webservers I checked, I could obtain that site's
entire list of users and their passwords. The passwords are encrypted, but the
usernames are not. So, if you chose an easy password, such as "password" or "asdf",
I'd have your username/password combination in amazingly short order.
• Make your reminder question tough and unique. If the site offers a "secret question"
-type access to your password (in case you lose it), make it something unique, such as
"What is my nickname at work?". Believe it or not, a person actually had
"QuestionQuestion" as his reminder question. Guess what the correct reply to his
reminder question is? If you guessed "AnswerAnswer", congratulations -- the web site
will now hand over the poor schmuck's password. True story!