
100M clear text passwords stolen from Russia's biggest social network - twoshedsmcginty
https://thestack.com/security/2016/06/06/vk-100-million-clear-text-passwords-stolen/
======
raverbashing
Instead of idiot questions like FizzBuzz maybe recruiters should be asking
about password storage best practices instead

~~~
rcconf
I've asked these questions in interviews and a lot of programmers seem to know
the basics (what a hash is), but seem to fall short when it comes to things
like what a salt is, modern storage techniques (bcrypt, scrypt, PBKDF2) and
how rainbow attacks can be used to crack hashes.

It's a bit tricky to fail someone in an interview because they don't know
security. I think the better way to handle security in a company is to hire a
programmer that knows it and teaches it to other programmers during code
reviews.

~~~
MOARDONGZPLZ
Is there a good article or breakdown on modern best security practices? I am a
relatively experienced programmer and know what a hash and salt are, and have
read the wikipedia article on rainbow tables (though I now forget what they
are other than that they make attacks of certain things easier), but that's
the extent of my knowledge.

~~~
CiPHPerCoder
Here's one. Title: How to safely store your users' passwords in 2016.

[https://paragonie.com/blog/2016/02/how-safely-store-
password...](https://paragonie.com/blog/2016/02/how-safely-store-password-
in-2016)

~~~
jtchang
That site recommends libsodium which by default uses Argon2. The issue is that
Argon2 is not very mature yet. Also if you are using python there is no good
library out there. Ideally you want something well tested since it is possible
for libraries to have bugs as well.

------
Artlav
Official local news: This never happened.

Slightly less advertised news: This never happened, the data is from a
2011-2012 leak, and everyone from it was forced to change passwords long ago.

The "33,236 times" password is actually mildly obscene, meaning something
close to "everything went to hell". Doesn't make any special sense to me.

~~~
Sacho
Does the number 0211 after it hold any significance?

~~~
hamstergene
My guess: someone was registering thousands of bots using common swearing
words + some number as their password, and this particular spam campaign
happened to be particularly large.

------
acak
I'm sorry, I hate pointing anything negative out. Was it a recent change to
store passwords in clear text?

It's worrying because the founders of VK started Telegram which claims to be
end-to-end encrypted.

~~~
dchest
No, in 2007 they even sent your password to email immediately after creating
account:
[https://twitter.com/dchest/status/739804779296219136](https://twitter.com/dchest/status/739804779296219136)

There was also "remind password" feature:
[https://twitter.com/extractor/status/739801634423857152](https://twitter.com/extractor/status/739801634423857152)

Also, they used to store MD5(password) in cookies.

Yes, these are the same people who made Telegram.

~~~
greenleafjacob
Sending your password in plain text in email doesn't mean it's stored in plain
text; it could be copied from memory into the email before being discarded at
the end of execution of the initial request.

~~~
dchest
If you ever find a service that is stupid enough to send password by email,
but smart enough to store it hashed, please let me know.

Also, you missed a part of my comment where I said that they sent passwords by
email when you clicked "I forgot password".

------
acqq
> Almost as surprising is the 24,309 times that ‘marina’ is found as a
> password here

It's a common name, apparently the English speakers traditionally translated
Greek name Μαρίνα (Marina) to "Margaret."

------
lossolo
Clear text passwords? I thought it's 2016. If you are not using bcrypt/scrypt
or similar in 2016 then you should change profession.

~~~
drakenot
Just yesterday I clicked on the "Forgot Password" link on the AutoTrader.com
website. I was expecting a reset link in my email and instead they just
emailed me my password in cleartext. This is a huge website! Not some small
business. It completely baffles me.

I wish that there was some way to shame these companies. I've seen some
websites that list some of these offenders but they don't appear to be
effective enough. I want news articles written about these companies in the
magazines that the CIOs care about, with their photo right next to the
article.

~~~
asadlionpk
This seems to be the most popular collection:
[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

There should be a warning in the browser that these websites are known to
store password in plaintext. This can be achieved by an extension too.

~~~
nacs
> This can be achieved by an extension too.

In the website you linked, there is a "3rd party tools" link [1] that has a
Chrome extension [2] and a Firefox addon [3] that do just that.

[1]:
[http://plaintextoffenders.com/tools](http://plaintextoffenders.com/tools)

[2]: [https://chrome.google.com/webstore/detail/plain-text-
offende...](https://chrome.google.com/webstore/detail/plain-text-offenders-
aler/ggndaknbenjhnkddgjnjjcmomgaidhmd)

[3]: [https://addons.mozilla.org/en-US/firefox/addon/plain-text-
of...](https://addons.mozilla.org/en-US/firefox/addon/plain-text-offenders/)

------
sakopov
I just logged into VK to change my password. It happily accepted a
30-character generated password (alpha-numeric with upper/lowercase and
special characters). However, i was not able to login with it after changing
the password. Tried using their password recovery tool that texts you an MFA
code. It never came. Attempting to send another one gave me "You exceeded
daily attempts limit" error message. I guess tomorrow i'm going to TRY to
login to just delete the damn account all together.

------
executesorder66
Better link:
[https://www.leakedsource.com/blog/vk](https://www.leakedsource.com/blog/vk)

~~~
davotoula
What makes "PolniyPizdec0211" such a popular password?

~~~
AdamN
Probably a bot creating those users for various reasons.

------
welder
Looks like it's being sold for 1 BTC [1]. Screen Shot:

[https://www.instagram.com/p/BGUE5H2yqa_/](https://www.instagram.com/p/BGUE5H2yqa_/)

[1]
[http://trdealmgn4uvm42g.onion/listing/3716](http://trdealmgn4uvm42g.onion/listing/3716)

~~~
tomtoise
judging from that 'gram shot, it looks like VK didn't bother actually deleting
user profiles (a lá Ashley Madison). Will be interesting to see the fallout
from this, if confirmed.

------
nekopa
OT question: VK is the "Russian Facebook". The article claims it has 280
million users, but a quick Google shows Russia has a population of 143
million.

What gives? Russian speaking countries? Multiple accounts per user?

~~~
3pt14159
VK is actually available in essentially all modern languages and is very
popular in Belarus, Ukraine, and Kazakhstan; and sometimes used in countries
with large numbers of immigrants from those four countries (Canada, Israel,
etc) to check on family members or friends.

------
frandroid
What if the Kremlin asked them to not encrypt passwords, so they could be
harvested?

------
ronreiter
Can anyone send a download link? I'm dying to analyze the passwords

------
CiPHPerCoder
Isn't this by the same folks who brought us Telegram?

------
asadlionpk
It's crazy how passwords are stored in these sites with millions of users.
Secure password storage is one of the top priorities of mine when I am
training internees or teaching someone web app dev.

~~~
Mahn
There's an old saying, "the world runs on shitty code". I always think of that
when I see headlines like these.

------
hackim
'dadada' password...

