SecFail Focus: Passwords
For the month of November, and to just to get people going on our forums, (ahem, shameless shameless plug) I decided to go ahead and work on a series of sticky posts, this particular one is focused on Passwords.
For this one, I wanted to go through a few interesting posts (maybe I’ll do something fun on this one day in a presentation). We can passively deduce potential problems just by looking at some flaws:
The concern here, obviously is why would spaces not be allowed? Spaces typically are not allowed when a developer is actually taking in those spaces and is unable to decide where the password begins and ends. For example if my password is:
Password: Really Super Awesome
When I got to read that in a database or as a string I may be unable to realize that the space is there so the password may end up being stored as Really.
Why on earth in today’s world is this person not hashing that password before storing it? Why are they unable to read a string with so many ‘special characters’, what are they doing!? Are they just blindly trusting input from the form?
So much wrong with this code concept...oh my lord. Double Equals in PHP, taking in straight $input from god knows where, loose comparison with PHP (Double Equals), Using MD5, Double Equals again. ... I can't even begin. I mean my favorite however is the question Why do you want to hash... Yeah why indeed.
This got me thinking how many people have password issues on the internet, so I started this forum post. I am hoping that others contribute below. I’ll start off by giving some funnier ones I’ve seen.
So passwords that are too long, hashes don’t work that way by the way guys, they are generally fixed length. MD5 (weak) is about 32 digits long. 25 > 32… hmm. Que?
This other one is genius, poor guy is trying got ask for help and just posts his personal information all over the net :/.
I think Tesco has always had just horrible security…but thanks for showing us what kind of passwords you use.. I guess?! More of these will be on the forum as I find them throughout the month of November, feel free to add your own!
Fixing the issue?
Once way I have attempted to fix this for myself is I use a Password Manager for all my passwords like that of DashLane. That’s how we can solve it. Visit the ‘Tools I Use’ to find more tools of the trade.