Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Can I have the first and last characters of your password please?
Posted by: bubbles
Date: January 28, 2007 10:17PM

So I log on to my live chat support with my web host because Im having some DNS issues with a new account I tried to create. The first thing he asks me is "Hello, can I have the first and last digits of your password as well as your primary username?". Of course I gave it too him.

Then after chatting for a little bit I realized that there were a lot of potentially dangerous things you can do after being verified. He can add/delete accounts, change billing information...

Anyway my point is, getting someones user name to a service is not that hard. Getting their password can be complicated... But I would think with some simple Social Engineering or a really good excuse you could coax the first and last digits of their password out of them, after all they aren't giving up the full password, just two characters.

My web host is the only service I know of that uses this technique, I was just curious on all of your thoughts, and if you use any services that also use this type of verification, or something similar.

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: rsnake
Date: January 29, 2007 12:06AM

Ugh, that's terrible. How long is the password usually? 6 chars? 8? If you give him the first 2 chars and last 2 chars of the password he only has x^2 (where x is the number of possible character values IE: a-zA-Z0-9). If it's just a numeric password it is only 100 combinations. If they allow words for passwords and you get "pa....rd" you can easily cut it down to a few possible dictionary words. No, that's just bad security, no matter how you slice it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: Luny
Date: January 29, 2007 12:49AM

sure. they are F and U :P

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: bubbles
Date: January 29, 2007 08:49AM

Its actually only the first and last, so password is p......d. But I agree with you, its horrible security.

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: Torstein
Date: January 29, 2007 11:46AM

As with the recent "Death by 1000 cuts" paper, not encrypting passwords is just plain stupid.

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: xpcer
Date: February 05, 2007 09:22PM

Torstein Wrote:
-------------------------------------------------------
> As with the recent "Death by 1000 cuts" paper, not
> encrypting passwords is just plain stupid.


i think encrypting password is a good way,but sometime i dont believe with some admin because you know that any method to encrypt password also not too secure. like the md5(), the password that endrypted by md5() can be decrypt using the sofware at http://www.md5lookup.com/

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: Luny
Date: February 05, 2007 10:40PM

xpcer Wrote:
-------------------------------------------------------
> Torstein Wrote:
> --------------------------------------------------
> -----
> > As with the recent "Death by 1000 cuts" paper,
> not
> > encrypting passwords is just plain stupid.
>
>
> i think encrypting password is a good way,but
> sometime i dont believe with some admin because
> you know that any method to encrypt password also
> not too secure. like the md5(), the password that
> endrypted by md5() can be decrypt using the
> sofware at http://www.md5lookup.com/


That md5lookup.com site should really sanatize user input when searching the db's. :P

---------------
Digital footprints suck. Learn to walk on your hands.
http://www.youfucktard.com

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: kogir
Date: February 05, 2007 11:52PM

Correct me if I'm wrong, but using an adequate salt should make the hash->working password inversion fairly difficult unless md5lookup somehow managed to find an input for all 2^128 md5 hash output values.

-kogir

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: kuza55
Date: February 06, 2007 02:12AM

kogir Wrote:
-------------------------------------------------------
> Correct me if I'm wrong, but using an adequate
> salt should make the hash->working password
> inversion fairly difficult unless md5lookup
> somehow managed to find an input for all 2^128 md5
> hash output values.

Yep, exactly, salted passwords are really the only way to go. They should also be unique to a user so that rainbow tables can't be generated for the whole site.

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: jungsonn
Date: February 06, 2007 10:16AM

@bubbles, so they store passwords un-hashed then? Ugh! cancel my account please!

haha you should said: I can give you the first and last character of the hash!

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: jungsonn
Date: February 06, 2007 10:18AM

@kogir

Only one problem with that one, how and where do you store the salt? :) If I can obtain the salt also it's pretty useless. If anyone has a solution for this, I really like to hear it, cause I don't have one.

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: bubbles
Date: February 06, 2007 01:43PM

Thats an interesting thought, they must have the passwords in plain text somewhere if they are going to ask me for the first and last character. I never thought about that.

The really scary part is that the people who are asking me for my the information are out sourced and not part of the actual company, I have no idea what they'll do with it lol.

-bubbles
http://webmastertutorials.net

Options: ReplyQuote
Re: Can I have the first and last characters of your password please?
Posted by: kogir
Date: February 06, 2007 02:44PM

@Jungsonn

For applications I've written I store the salt next to the hash in the DB, but it's almost unique per user (four random bytes), and hashes are of the form: SHA1(some mixture of username + password + salt). Yes, this does complicate things when a user wishes to change his/her name.

I thought about it for a while and I couldn't come up with a way to make a lookup table that I could use to accelerate the cracking process. If someone is going after a single user account I haven't upped the bar, but given access to all the hashes, salts, and user names, it's unlikely an attacker will be able to do a quick lookup and find an account to log in with.

If anyone has better ideas I'd love to know so I can implement them.

-kogir

Options: ReplyQuote


Sorry, only registered users may post in this forum.