Print Reseller Scheme
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How not to do web security

Discussion in 'Website Design Forum:' started by Jazajay, Jan 12, 2012.

  1. Jazajay

    Jazajay Active Member

    O dear lord I had this corka across my desk today. Under no circumstances do the following, normally I am totally against explaining why this is bad, but this is too scary.

    Message on my desk:
    New client due to recent hacks on sites hosted not on our servers, do a full site backup now.

    Lets say this site is

    Here is the ftp details:


    These where given as well but who wants to fill them in anyway?

    Well Server name is going to be:

    So whas the username and password?
    Any one?

    Well thats the username:

    Clearly. So password is what?
    1 of 2:
    95% chance its
    5% chance it may possible be:

    Right who can see how that can be exploited? Anyone?
    Because you are not going to need to understand why giving this:

    Was a moronic thing to do.

    Lets say we are interested in hacking and we know they host it.

    Who wants to fill in most of the details by a pure guess?
    What do you reckon most of them are:


    Now what is the server name and username to

    Yeah thats right:
    example-purple and

    Okay now lets examine the password as thats the only thing I have to work out for

    What do we know?
    Well we know our password was:

    So first off:
    1) All lowercase characters
    2) No special charactes
    3) High chance its exactly 8 characters long
    4) Possibility that their password could start with aa
    5) Possibility that thier 3 and 4th character of their password is also a number
    6) If 5 is correct a posibility that the others are all characters and bring in one, lowercase.

    But what else?
    Now if I am going to run an automated attack lets try narrowing this down first.

    What if we try the first pattern to test for


    [a][a][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]

    Lets face it far less possbilities if all their passwords start with

    the letter a twice then 2 numbers followed by 4 random lower case characters and if it does we have just narrowed it down from 8 to 6 characters.

    Okay what if we then ran a second automated attack for
    [lowercase letter][lowercase letter][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]

    If that fails we then just run a test for all 8 characters with possible lower case characters and numbers but miss out any we have already tested.

    That could be confirmed further if we registered a second account at the company and got a second set of password details.

    By the time I get up in the morning I would put money on that I would have access to entire FTP area to do with what I pleased.

    Morons, utterly. :blink:

    And yet another reason I never went to university, dear lord, why do people think university degrees are worth the paper they are written on? :down:
  2. JamesBrentwood

    JamesBrentwood Senior Member

    First mistake is FTP.
  3. Squiddy

    Squiddy Guest

    Interesting - the way I normally do it is smash my face into my keyboard and see what comes out as a password.

    I normally then go back and randomise it a little bit if, for instance, my face typed ininb98375 I'd probably change it to something like iN983in75B. Is that method more or less secure than using four random, common words? Or just as effective?
  4. Paul Murray

    Paul Murray Moderator Staff Member

    When I pick a new password it's usually either 'love', 'sex', 'secret', or 'god'.
  5. JamesBrentwood

    JamesBrentwood Senior Member

    Use them all in one, and you've got a winner.

Share This Page