Welcome to Bucaro TecHelp!

Bucaro TecHelp
HTTPS Encryption not required because no account numbers or
personal information is ever requested or accepted by this site

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Excuse Me, May I Borrow Your Passwords?

Some time ago, I was one of the most prolific contributors to one of the most popular newsgroups on usenet. The newsgroup's purpose was to provide fraudulently-obtained, but valid, passwords for websites.

The process there is fairly straightforward: someone posts the web site address of a site that they want (free and illegal) access to. Several group members with colorful nicknames then "run" the site. If a valid username/password is found, it is emailed to the requestor, who in turn publicly heaps praise on the grantor, thus inflating his or her ego. My colorful nickname was "PassBandit", and I have a few tips for you.

The web site password authentication process is chock full of security flaws. And wherever there are security flaws, there are scads of both real- and wannabe-hackers trying to exploit them.

One of those flaws is the ability of a user to enter an infinite combination of usernames and passwords without ever being locked out by the web site. As it was relevant to "PassBandit", this flaw allowed him to run a software application that automatically tries usernames and passwords, from a supplied list, then reads whether the combination was successful by the electronic reply received from the web site. The program simultaneously tried 70 different combinations, which gave a rate of attempts in the several-hundred-per-second range. If a particular combination didn't work, the application simply tried another combination. And another. And another, until it found a combination that worked.

Of course, there are some sites - not very many - that I couldn't get into. And, some sites were harder than others. However, every site that I did get into had one thing in common: at least one user that made a stupid (make that "ill-informed") choice of a username and password.

Once a username and password have been compromised, and when (not if) it is eventually discovered, most sites will instantly close the account. This eliminates the fraudulent use of that password, but also screws the poor fool who actually paid for access to the site.

Here are some tips to ensure that your account is not the weak account that the other "PassBandit"s of the world compromise:

The password is more important than the username. Do not assume that because you have an unusual username (including email addresses) that you can choose a simple password. I'd say that at about 2-3% of the webservers I checked, I could obtain that site's entire list of users and their passwords. The passwords are encrypted, but the usernames are not. So, if you chose an easy password, such as "password" or "asdf", I'd have your username/password combination in amazingly short order.

Make your reminder question tough and unique. If the site offers a "secret question" -type access to your password (in case you lose it), make it something unique, such as "What is my nickname at work?". Believe it or not, a person actually had "QuestionQuestion" as his reminder question. Guess what the correct reply to his reminder question is? If you guessed "AnswerAnswer", congratulations -- the web site will now hand over the poor schmuck's password. True story!

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro

Fire HD
[Site User Agreement] [Privacy Policy] [Site map] [Search This Site] [Contact Form]
Copyright©2001-2024 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268