cute robot

TimNash.co.uk

Dev/Sec/Ops with a splattering of humour

Password Protection round x

Really old post – This post is from 9 years, 3 months and has not been updated, some if not all of the information maybe out of date. Proceed with caution.

my friend Angie pointed me to this latest twitter status update and I thought it was worth sharing.

It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra ” security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. – http://status.twitter.com/post/367671822/reason-4132-for-changing-your-password

so let’s recap, user creates turnkey websites with backdoor to grab all usernames, emails and passwords then uses the email/password username/password combinations on numerous sites. You can read the daily mail style Techcrunch reaction.

Now remember…

A scary 92% of people use the same password across all websites including their email accounts.

that was based off Venture Skills research that we presented last year, you may remember the post it was imaginatively entitled please stop using the same passwords. Um it would appear people didn’t!!!

While the latest scam hit a big site userbase, literally thousands of sites can be using scripts with backdoors or even deliberately attempting to store usernames and passwords in clear for reuse in hacking attempts. What’s more with “invite your friend” scripts still doing the rounds, people are literally giving away the keys to their gmail, yahoo accounts.


back in 2008 I wrote a post on how easy it was to manipulate the invite your friend scripts with just one line of code turning them from a benign tool to literally a way to drain you dry.

Solving Password problems

While in the perfect world every site would have a unique password this is not going to happen. Therefore you need to organise yourself into creating a series of passwords (with the higher security risk being both unique and non linked) here is some handy hints…

  • Never use the same password for email and bank details (including PayPal)
  • If you struggle with alphanumeric passwords or need to change passwords monthly look at including the date or some representation of the date for better security within the password.
  • If you are required to include a capital letter don’t do it at the start of the password ;)
  • pass phrases tend to be much harder to crack while easier to remember
  • Never use an inviter script that asks for your password to your email account
  • don’t use the same password on that torrent site as your twitter account

Remember if some one accesses your primary email account what information can they get about you?