<-- home

SecFail Focus: Passwords

post by:

For the month of November, and to just to get people going on our forums, (ahem, shameless shameless plug) I decided to go ahead and work on a series of sticky posts, this particular one is focused on Passwords.

For this one, I wanted to go through a few interesting posts (maybe I’ll do something fun on this one day in a presentation). We can passively deduce potential problems just by looking at some flaws:

https://twitter.com/mholt6/status/664486437241286656

The concern here, obviously is why would spaces not be allowed? Spaces typically are not allowed when a developer is actually taking in those spaces and is unable to decide where the password begins and ends. For example if my password is:

Password: Really Super Awesome

When I got to read that in a database or as a string I may be unable to realize that the space is there so the password may end up being stored as Really.

Picard-Why-Ship-Exploding-480x220

Why on earth in today’s world is this person not hashing that password before storing it? Why are they unable to read a string with so many ‘special characters’, what are they doing!? Are they just blindly trusting input from the form?

And of course, I need to put in the Obligatory Stack Overflow link to prove that people still do dumb things:Screen Shot 2015-11-11 at 5.32.37 PM

http://stackoverflow.com/questions/17118883/php-password-encryption-key-include

So much wrong with this code concept...oh my lord. Double Equals in PHP, taking in straight $input from god knows where, loose comparison with PHP (Double Equals), Using MD5, Double Equals again. ... I can't even begin. I mean my favorite however is the question Why do you want to hash... Yeah why indeed.

This got me thinking how many people have password issues on the internet, so I started this forum post. I am hoping that others contribute below. I’ll start off by giving some funnier ones I’ve seen.

https://twitter.com/s1mn/status/663464530702397440

So passwords that are too long, hashes don’t work that way by the way guys, they are generally fixed length. MD5 (weak) is about 32 digits long. 25 > 32… hmm. Que?

 

This other one is genius, poor guy is trying got ask for help and just posts his personal information all over the net :/.

https://twitter.com/TheRealBlondKid/status/663827502125682690

Not smart.

https://twitter.com/stuartw__/status/664028813215535104

I think Tesco has always had just horrible security…but thanks for showing us what kind of passwords you use.. I guess?! More of these will be on the forum as I find them throughout the month of November, feel free to add your own!

Fixing the issue?

Once way I have attempted to fix this for myself is I use a Password Manager for all my passwords like that of DashLane. That’s how we can solve it. Visit the ‘Tools I Use’ to find more tools of the trade.

comments powered by Disqus

© . All rights reserved.