How not to do web security

Jazajay

Active Member
O dear lord I had this corka across my desk today. Under no circumstances do the following, normally I am totally against explaining why this is bad, but this is too scary.

Message on my desk:
New client due to recent hacks on sites hosted not on our servers, do a full site backup now.

Lets say this site is example-gots.co.uk

Here is the ftp details:

ftp://example-gots:[email protected]

username:
password:
servername:

These where given as well but who wants to fill them in anyway?

Well Server name is going to be:
example-gots.co.uk

So whas the username and password?
Any one?

Well thats the username:
example-gots

Clearly. So password is what?
1 of 2:
95% chance its
aa32asdf
5% chance it may possible be:
:aa32asdf

Right who can see how that can be exploited? Anyone?
Because you are not going to need to understand why giving this:
ftp://example-gots:[email protected]

Was a moronic thing to do.

Lets say we are interested in hacking example-purple.com and we know they host it.

Who wants to fill in most of the details by a pure guess?
What do you reckon most of them are:

ftp://example-purple: [email protected]

Now what is the server name and username to example-purple.com?

Yeah thats right:
example-purple and example-purple.com

Okay now lets examine the password as thats the only thing I have to work out for example-purple.com

What do we know?
Well we know our password was:
aa32asdf

So first off:
1) All lowercase characters
2) No special charactes
3) High chance its exactly 8 characters long
4) Possibility that their password could start with aa
5) Possibility that thier 3 and 4th character of their password is also a number
6) If 5 is correct a posibility that the others are all characters and bring in one, lowercase.

But what else?
Now if I am going to run an automated attack lets try narrowing this down first.

What if we try the first pattern to test for

as

[a][a][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]

Lets face it far less possbilities if all their passwords start with

the letter a twice then 2 numbers followed by 4 random lower case characters and if it does we have just narrowed it down from 8 to 6 characters.

Okay what if we then ran a second automated attack for
[lowercase letter][lowercase letter][number][number][lowercase letter][lowercase letter][lowercase letter][lowercase letter]

If that fails we then just run a test for all 8 characters with possible lower case characters and numbers but miss out any we have already tested.

That could be confirmed further if we registered a second account at the company and got a second set of password details.

By the time I get up in the morning I would put money on that I would have access to example-purple.com entire FTP area to do with what I pleased.

Morons, utterly. :blink:

And yet another reason I never went to university, dear lord, why do people think university degrees are worth the paper they are written on? :down:
 
First mistake is FTP.
Also,
password_strength.png
 
Interesting - the way I normally do it is smash my face into my keyboard and see what comes out as a password.

I normally then go back and randomise it a little bit if, for instance, my face typed ininb98375 I'd probably change it to something like iN983in75B. Is that method more or less secure than using four random, common words? Or just as effective?
 
Back
Top