Print Reseller Scheme
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How not to do web security

Discussion in 'Website Design Forum:' started by Jazajay, Jan 12, 2012.

  1. Jazajay

    Jazajay Active Member

    O dear lord I had this corka across my desk today. Under no circumstances do the following, normally I am totally against explaining why this is bad, but this is too scary.

    Message on my desk:
    New client due to recent hacks on sites hosted not on our servers, do a full site backup now.

    Lets say this site is example-gots.co.uk

    Here is the ftp details:

    ftp://example-gots:aa32asdf@example-gots.co.uk

    username:
    password:
    servername:

    These where given as well but who wants to fill them in anyway?

    Well Server name is going to be:
    example-gots.co.uk

    So whas the username and password?
    Any one?

    Well thats the username:
    example-gots

    Clearly. So password is what?
    1 of 2:
    95% chance its
    aa32asdf
    5% chance it may possible be:
    :aa32asdf

    Right who can see how that can be exploited? Anyone?
    Because you are not going to need to understand why giving this:
    ftp://example-gots:aa32asdf@example-gots.co.uk

    Was a moronic thing to do.

    Lets say we are interested in hacking example-purple.com and we know they host it.

    Who wants to fill in most of the details by a pure guess?
    What do you reckon most of them are:

    ftp://example-purple: password@example-purple.com

    Now what is the server name and username to example-purple.com?

    Yeah thats right:
    example-purple and example-purple.com

    Okay now lets examine the password as thats the only thing I have to work out for example-purple.com

    What do we know?
    Well we know our password was:
    aa32asdf

    So first off:
    1) All lowercase characters
    2) No special charactes
    3) High chance its exactly 8 characters long
    4) Possibility that their password could start with aa
    5) Possibility that thier 3 and 4th character of their password is also a number
    6) If 5 is correct a posibility that the others are all characters and bring in one, lowercase.

    But what else?
    Now if I am going to run an automated attack lets try narrowing this down first.

    What if we try the first pattern to test for

    as

    [a][a][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]

    Lets face it far less possbilities if all their passwords start with

    the letter a twice then 2 numbers followed by 4 random lower case characters and if it does we have just narrowed it down from 8 to 6 characters.

    Okay what if we then ran a second automated attack for
    [lowercase letter][lowercase letter][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]

    If that fails we then just run a test for all 8 characters with possible lower case characters and numbers but miss out any we have already tested.

    That could be confirmed further if we registered a second account at the company and got a second set of password details.

    By the time I get up in the morning I would put money on that I would have access to example-purple.com entire FTP area to do with what I pleased.

    Morons, utterly. :blink:

    And yet another reason I never went to university, dear lord, why do people think university degrees are worth the paper they are written on? :down:
     
  2. JamesBrentwood

    JamesBrentwood Senior Member

    First mistake is FTP.
    Also,
    [​IMG]
     
  3. Squiddy

    Squiddy Guest

    Interesting - the way I normally do it is smash my face into my keyboard and see what comes out as a password.

    I normally then go back and randomise it a little bit if, for instance, my face typed ininb98375 I'd probably change it to something like iN983in75B. Is that method more or less secure than using four random, common words? Or just as effective?
     
  4. Paul Murray

    Paul Murray Moderator Staff Member

    When I pick a new password it's usually either 'love', 'sex', 'secret', or 'god'.
     
  5. JamesBrentwood

    JamesBrentwood Senior Member

    Use them all in one, and you've got a winner.
     

Share This Page