Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

18 items tagged “passwords”

For those who haven’t heard the story the details were pulled from a Christian dating site db.singles.org which had a query parameter injection vulnerability. The vulnerability allowed you to navigate to a person’s profile by entering the user id and skipping authentication. Once you got there the change password form had the passwords in plain text. Someone wrote a scraper and now the entire database is on Mediafire and contains thousands of email/password combinations.

rossriley on Hacker News 0 23rd August 2009, 10:10 am

Facebook Hacked By 4chan, Accounts Compromised. It wasn’t Facebook that got hacked: 4chan members got hold of a list of usernames and passwords from an insecure Christian dating site and started using them to raise complete hell. Yet another demonstration that storing your user’s passwords in the clear is extremely irresponsible, and also a handy reminder that regular users who “don’t have anything worth securing” actually have a great deal to lose if their password gets out. 5 23rd August 2009, 10:02 am

The Anatomy Of The Twitter Attack. Long-winded explanation of the recent Twitter break-in, but you can scroll to the bottom for a numbered list summary. The attacker first broke in to a Twitter employee’s personal Gmail account by “recovering” it against an expired Hotmail account (which the attacker could hence register themselves). They gained access to more passwords by searching for e-mails from badly implemented sites that send you your password in the clear. 2 20th July 2009, 12:55 am

Weak Password Brings “Happiness” to Twitter Hacker. The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts. 5 7th January 2009, 12:04 pm

Antipatterns for sale. Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder. 32 2nd January 2009, 10:48 am

Facebook’s new signup process. It looks like they’ve dropped the “enter your password twice” pattern. Is this really a good idea? I suppose if people mis-type it they can always use forgotten password to set a new one. 5 12th December 2008, 11:43 am

.. yet another ridiculous data breach: this time, people’s passwords to the Government Gateway on a memory stick dropped in the road. Perhaps it is uncouth to point this out, but... if the system had been designed by people with any security clue whatsoever there would have been no passwords to put on a memory stick in the first place.

Ben Laurie 0 2nd November 2008, 1:04 pm

The Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse—the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

Kim Zetter, Wired 1 18th September 2008, 10:23 pm

OAuth came out of my worry that if the Twitter API became popular, we’d be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users’ passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.

Blaine Cook 3 14th August 2008, 10:01 am

Facebook Security Advice: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To. Nice to see TechCrunch highlighting the hypocrisy of Facebook advising their users to never enter their Facebook credentials on another site, then asking them for their webmail provider password so they can scrape their address book. 0 9th August 2008, 10:18 am

Changeset 8162. “Implemented a secure password reset form that uses a token and prompts user for new password”—also sneaks base36 encoding and decoding in to Django. 3 31st July 2008, 10:54 pm

Historically, Internet companies have rarely encrypted passwords to aid customer service.

Fasthosts 2 18th October 2007, 5:27 pm

The password anti-pattern. What I don’t understand is why Google / Yahoo! / other webmail providers haven’t just deployed a simple OAuth-style API for accessing the address book. Sites have been scraping them for years anyway; surely it’s better to offer an official API than continue to see users hand out their passwords? 3 12th October 2007, 9:25 am

Choosing Secure Passwords. Bruce Schneier describes the state of the art in password cracking software. 0 11th January 2007, 2:55 pm

ephemeral profiles (cuz losing passwords is common amongst teens). Lost your password? Create a new profile; you had too many friends you didn’t know anyway. 0 7th January 2007, 10:37 pm

Real-World Passwords. Random passwords phished from MySpace are surprisingly decent. 0 14th December 2006, 2:14 pm

Will Trade Passwords For Chocolate (via) I’m not at all surprised. Most people see passwords as more of an annoyance than a security measure. 0 20th April 2004, 4:27 am

Remembering passwords

Via Scott, an article with some great tips on remembering your passwords. It includes the following vitally important tip: [... 273 words]

2:23 am / 5th December 2002 / 2 / passwords, scottjohnson, security

Related: security, twitter, facebook, oauth, phishing

passwords on del.icio.us, Flickr, Technorati

Feed Feed for this tag

Search this site for "passwords"

A django site