User Controls

Password harvesting

  1. #1
    Does anyone else use the same few passwords on all websites?

    Wouldn't it be trivial for a site to suddenly claim "password not recognised" due to (technical issues), causing most users to try all their normal passwords with that site?

    It seems like passwords must be more exploited than ever.

    BTW password reuse is a bad idea, you should use a different password for every site (even though none of us do). For instance I had my vk.com account compromised a few months ago due to this, causing people to unfriend me. I know my old username/password combo is out there somewhere.
  2. #2
    infinityshock Black Hole
    Originally posted by MORALLY SUPERIOR BEING 2.0 - The GMO Reckoning Does anyone else use the same few passwords on all websites?

    Wouldn't it be trivial for a site to suddenly claim "password not recognised" due to (technical issues), causing most users to try all their normal passwords with that site?

    It seems like passwords must be more exploited than ever.

    BTW password reuse is a bad idea, you should use a different password for every site (even though none of us do). For instance I had my vk.com account compromised a few months ago due to this, causing people to unfriend me. I know my old username/password combo is out there somewhere.

    i have a mental disorder where i memorize the stupidest shit and dont forget it. (for some ungodly reason i have my first credit card number memorized.) that being the case...i have all my differing passwords for my computer, assorted programs, various websites, etc, memorized...and the less significant the purpose, the simpler the password. my facebook pages have the shittiest PWs because i couldnt care less if they get swiped. for my 'sophisticated' sites...like my work stuff...i have characters and numbers...for example 'i pounded your mom till my balls hurt' is 1#UR303^!11 (thats eleven) ...etc'

    my first computer password was '07734' and '7734 2 09'
  3. #3
    aldra JIDF Controlled Opposition
    Originally posted by infinityshock my first computer password was '07734' and '7734 2 09'

    were you 12
  4. #4
    Ajax African Astronaut [rumor the placative aphakia]
    Lanny installed a nifty feature here so you don’t accidentally post your password. If you type your password and hit submit without realizing you’re in a reply box, it will display as asterisks instead of the true characters. See, here’s mine - **************. Try it out!
    The following users say it would be alright if the author of this post didn't die in a fire!
  5. #5
    infinityshock Black Hole
    Originally posted by aldra were you 12

    no
  6. #6
    infinityshock Black Hole
    Originally posted by Ajax Lanny installed a nifty feature here so you don’t accidentally post your password. If you type your password and hit submit without realizing you’re in a reply box, it will display as asterisks instead of the true characters. See, here’s mine - **************. Try it out!

    ifuckedyourmomsohardshegaveyouasibling
    The following users say it would be alright if the author of this post didn't die in a fire!
  7. #7
    infinityshock Black Hole
    Originally posted by Ajax Lanny installed a nifty feature here so you don’t accidentally post your password. If you type your password and hit submit without realizing you’re in a reply box, it will display as asterisks instead of the true characters. See, here’s mine - **************. Try it out!

    no, i tried it. it doesnt work
    The following users say it would be alright if the author of this post didn't die in a fire!
  8. #8
    Originally posted by Ajax Lanny installed a nifty feature here so you don’t accidentally post your password. If you type your password and hit submit without realizing you’re in a reply box, it will display as asterisks instead of the true characters. See, here’s mine - **************. Try it out!

    In theory Lanny shouldn't have access to any of our passwords, since they are all fairly well salted.

    Of course my Python is as bad as my French, and even if he is honest all passwords are decodable due to GPUs.
  9. #9
    SBTlauien African Astronaut
    Originally posted by Ajax Lanny installed a nifty feature here so you don’t accidentally post your password. If you type your password and hit submit without realizing you’re in a reply box, it will display as asterisks instead of the true characters. See, here’s mine - **************. Try it out!

    My account is set up so that there is no password on it.
  10. #10
    Sophie Pedophile Tech Support
    If you want to harvest passwords make one of those "Is my password secure" sites. Just save the passwords and randomly generate a "Safe" or "Not Safe" result page or some shit.


    Also, IDK if there's even any need for this. Last i heard, there's a database with 1.2 billion unique passwords in it for your cracking pleasure. In any case you should check out SecLists on Guthub.
  11. #11
    Originally posted by infinityshock my first computer password was '07734' and '7734 2 09'

    so thats yiur birth date ?
  12. #12
    Originally posted by Ajax Lanny installed a nifty feature here so you don’t accidentally post your password. If you type your password and hit submit without realizing you’re in a reply box, it will display as asterisks instead of the true characters. See, here’s mine - **************. Try it out!

    nice try.

    thats what preview function is for.
  13. #13
    Originally posted by infinityshock no, i tried it. it doesnt work

    its a tard bait.
  14. #14
    Lanny Bird of Courage
    Originally posted by MORALLY SUPERIOR BEING 2.0 - The GMO Reckoning Does anyone else use the same few passwords on all websites?

    Wouldn't it be trivial for a site to suddenly claim "password not recognised" due to (technical issues), causing most users to try all their normal passwords with that site?

    It seems like passwords must be more exploited than ever.

    BTW password reuse is a bad idea, you should use a different password for every site (even though none of us do). For instance I had my vk.com account compromised a few months ago due to this, causing people to unfriend me. I know my old username/password combo is out there somewhere.

    For better or worse the standard thread model is that service providers don't do malicious things and that compromises are relatively infrequent and don't last long. Under that assumption it's reasonable to say that it's not such a terrible thing that a service provider might be able to elicit a list of widely reused passwords from you, since by our assumptions, they simply won't ever do that.

    It's not really as stupid as it sounds. Most providers have more of an interest in pinning you to a stable, advertiseable, secure identity than they do to getting into your email inbox. From their perspective they simply don't plan to do that, so it's a non-issue. Now you should probably be a little more skeptical than that as a consumer, but trying to assume that every service provider you try to interact with has malicious intent and that you need to restrict the level of information about you to what you're comfortable being in the hands of a malicious party then the amount of the internet you get to use gets pretty small and pretty unfun to use.

    I'm not saying that isn't the attitude you should have, honestly zero trust is probably the only defensible-from-first-principles way of doing things. I'm just saying there are practical reasons we might prefer a model where participation in a service grants limited trust to the service provider as opposed to try to zero-trust everything, and if we accept that tradeoff then your service provider trying to trawl for your reused passwords isn't really your biggest concern.
  15. #15
    Ghost Black Hole
    I've been using the same password since I was 12 years old.

    It uses every letter of the betabet at least once and is so good I can write down the password and people still dont input it right because it's so long if you make one mistake it's over
  16. #16
    Originally posted by Lanny
    For better or worse the standard thread model is that service providers don't do malicious things and that compromises are relatively infrequent and don't last long. Under that assumption it's reasonable to say that it's not such a terrible thing that a service provider might be able to elicit a list of widely reused passwords from you, since by our assumptions, they simply won't ever do that.

    It's not really as stupid as it sounds. Most providers have more of an interest in pinning you to a stable, advertiseable, secure identity than they do to getting into your email inbox. From their perspective they simply don't plan to do that, so it's a non-issue. Now you should probably be a little more skeptical than that as a consumer, but trying to assume that every service provider you try to interact with has malicious intent and that you need to restrict the level of information about you to what you're comfortable being in the hands of a malicious party then the amount of the internet you get to use gets pretty small and pretty unfun to use.

    I'm not saying that isn't the attitude you should have, honestly zero trust is probably the only defensible-from-first-principles way of doing things. I'm just saying there are practical reasons we might prefer a model where participation in a service grants limited trust to the service provider as opposed to try to zero-trust everything, and if we accept that tradeoff then your service provider trying to trawl for your reused passwords isn't really your biggest concern.

    2 things about service providers :

    1 - they're sometimes incompetent.

    2 - they hire people who are/could be malicious.
  17. #17
    filtration African Astronaut
    This post has been edited by a bot I made to preserve my privacy.
  18. #18
    Lanny Bird of Courage
    Originally posted by vindicktive vinny 2 things about service providers :

    1 - they're sometimes incompetent.

    2 - they hire people who are/could be malicious.

    These are true, but it doesn't seem to change much. Incompetence is fairly unlikely to lead to a third party creating a situation like the once described in OP. Most security compromises involve exfiltration but not ongoing alteration to running software. Not to say that doesn't happen, but usually the assumption is that it doesn't.

    To the second point, sure, they could hire some guy or contract out to some company that goes rogue and tries an attack like that but again this is usually a scenario that's excluded from the (service provider's) security model, mostly because there's not really anything you can do about it once it happens. Like the way to treat malicious employees or contracting agencies is to avoid them. Sure you'll want to keep people watching each other through code review and security audits (although I'm kinda skeptical of the latter practice as it ended up working in the real world) but if you're operating on the assumption that you can't trust your own software not to be malicious then there is no technical solution, you're just fucked.

    It's like hey, Intel is probably doing some shady stuff with their ME bullshit but if you're running on an intel processor there's nothing you can do, you can't write software that's secure in the face of arbitrary runtime changes to it, even things like cryptographic signing don't really work under this assumption because the verification logic can be compromised. Threat models must assume some level of trust to operate, less is better of course, but there are classes of attack that it just doesn't make sense to try to address at the application level.
  19. #19
    Originally posted by Lanny
    These are true, but it doesn't seem to change much. Incompetence is fairly unlikely to lead to a third party creating a situation like the once described in OP. Most security compromises involve exfiltration but not ongoing alteration to running software. Not to say that doesn't happen, but usually the assumption is that it doesn't.

    To the second point, sure, they could hire some guy or contract out to some company that goes rogue and tries an attack like that but again this is usually a scenario that's excluded from the (service provider's) security model, mostly because there's not really anything you can do about it once it happens. Like the way to treat malicious employees or contracting agencies is to avoid them. Sure you'll want to keep people watching each other through code review and security audits (although I'm kinda skeptical of the latter practice as it ended up working in the real world) but if you're operating on the assumption that you can't trust your own software not to be malicious then there is no technical solution, you're just fucked.

    It's like hey, Intel is probably doing some shady stuff with their ME bullshit but if you're running on an intel processor there's nothing you can do, you can't write software that's secure in the face of arbitrary runtime changes to it, even things like cryptographic signing don't really work under this assumption because the verification logic can be compromised. Threat models must assume some level of trust to operate, less is better of course, but there are classes of attack that it just doesn't make sense to try to address at the application level.

    your right.

    i was thinking more of a targeted attack at specific individual scenario, like a high ranking goverment employee.
Jump to Top