
YouPorn passwords available for download, thousands of users exposed - bleakgadfly
http://nakedsecurity.sophos.com/2012/02/22/youporn-password-download/
======
pstatho
I'm CTO for Manwin Canada and ultimately responsible for YouPorn.

It's unfortunate that people are associating chat.youporn.com to the actual
YouPorn.com site, but they are not affiliated at all. It was operated by a
completely separate entity, which we've obviously closed as soon as we
discovered it. The accounts on chat.youporn.com are different than the
accounts on YouPorn. Though as was mentioned, it is probably that some have
re-used the same username password combination that is highly unrecommended
for all you folks out there (if you read Hacker News, you already know that).

As for password policies, I've been enforcing hashing of passwords ever since
joining, though as we inherit a lot of old code and sites we correct issues
such as that as we come across them.

I'll be around for a while, if anyone wants to ask questions.

~~~
rdl
Thanks for showing up here!

By hashing, do you mean current best practice (bcrypt, scrypt, or possibly a
pbkdf with high work factor), or something easily brute forced like MD5 and
SHA1. There are issues with migration if you're doing the latter, but not a
big deal.

Do you have any contractual recourse against the chat provider? Have you
considered including such terms in future contracts with partners?

Do you have a security audit firm? There's plenty of value to in-house audits,
but some kind of independent audit is probably a reasonable choice. You
probably don't have PCI concerns (it's free, right?), but users might feel
better about privacy otherwise. Just the existence of an account for a given
user is probably an issue for some people, so even foolish things like using
the same _username_ on a porn site as on other sites could be a leak -- being
able to verify that myhusbandinvirginiasportsfan is a valid user account on
youtube would potentially make a divorce attorney very happy.

Would you answer general questions about the site/business, too? The whole
porn tube thing seems like a big change in the industry (I was at SHOT Show in
Vegas a few weeks ago, and stopped by the concurrent AVN event -- they really
hate the tubes). I'm especially curious how you feel about the meta-tube sites
(e.g. fantasti.cc) which seem to blatantly scrape youporn (and other tube)
content. Preroll ads still show, but nothing else.

~~~
rplnt
What is wrong with salted SHA or even MD5 for that matter?

~~~
daeken
A single round of a hash -- salted or not -- is simply broken in 2012. When
you can rent time on a bunch of GPUs on EC2 for effectively nothing, breaking
the vast majority of hashes takes no work at all. PBKDF2 with a large number
of rounds (10000 recommended), bcrypt, or scrypt are a requirement IMO.

~~~
DomBlack
Do you have any links to articles regarding being able to easily crack a
single round hash?

I'm wondering what sort of time frame you'd be looking at for a single round
password, i.e; md5(salt.cleartext)

~~~
drostie
There are about 252 trillion or 2^48 passwords consisting of 8 symbols drawn
from (uppercase/lowercase letters + numbers + space). These are presently
available in a downloadable lookup table which uses a compression method
called 'rainbow tables' to store this information in just 350 GB, if I am
reading these numbers correctly. There are similar lookup tables which include
all 32 symbols accessible from the keyboard out to 7 characters, taking up 130
GB on disk. These speedups and compressions are made by large distributed
computing projects, and would otherwise be out of the range of normal
consumers -- but now that the lookup table has been generated, it can be
pretty quickly queried, as I understand it.

Salting a hash is meant to stop precisely these attacks, and these numbers
were taken for MD5 in particular from:

    
    
        http://tbhost.eu/rt.php?algorithm=2
    

However this also gives us a bound on what's possible. A large project with
10,000 users trying to brute-force passwords can brute force all 2^48 of
these, and store them in a highly compressed fashion, in however long it takes
to make these things (months?). In theory, no password with under 48 bits of
entropy is truly safe from someone with access to, say, government-scale
computation.

What's possible for the rest of us? I can use Node.js to encrypt a typical
password using PBKDF2(HMAC-SHA1) like so:

    
    
         crypto.pbkdf2('sconesMultiply51', '0SGrf8KIZ', Math.pow(2, 17), 18, logger)
    

This takes 377 ms on my web server and calls SHA1 something like 2^18 times
(twice for HMAC, 2^17 for the PBKDF parameter above), 255ms on my laptop. It's
also a wrapper for an OpenSSL routine. So this should be about typical for C
routines, and I should be able to do 2^20/s without GPU speedups. (That's 2^36
passwords/day.)

The above password 'sconesMultiply51' only has 40 bits of unpredictableness,
so give me about two weeks, '0SGrf8KIZ', and sha1('0SGrf8KIZsconesMultiply51')
and I can quite possibly find 'sconesMultiply51' by brute force on a laptop.

GPUs make things faster. This site:

    
    
        http://www.insidepro.com/eng/egb.shtml
    

reports doing sha1($pass.$salt) 80 million times per second on an older GPU
(an nVidia GTS250). So they can get 2^26/s. If they're right, then they could
hypothetically find 'sconesMultiply51' in under a day, as long as you
reconfigured them to start searching words from a 10,000-word dictionary which
might optionally be capitalized, rather than individual characters.

What's the absolute upper bound? Well, thankfully, the biggest public
supercomputers are actually very well-known and published on top500.org. The
absolute top of the line today is this beast:

    
    
        http://i.top500.org/system/177232
    

It does 2^53 floating point operations per second. Assuming a hash is
something like 100 or 1000 operations, you'd still have 2^43-2^46 tries per
second. That's probably an upper limit on what your typical government can do,
as well.

Lessons: (1) you'll be safe for the next 20 years at least if you just get
used to

    
    
        head -c 9 /dev/urandom | base64 | sed 's/+/_/g;s/\//-/g'
    

and the 12-character passwords that result. (2) you can give people about
16-20 bits of extra security if you use key stretching techniques, but that's
about it.

~~~
rplnt
Bad thing is that you can't really use hashing function that takes quarter a
second to complete in service with many(many!) users.

~~~
thirsteh
Of course you can. You only need it for the initial login.

------
rdl
<http://blog.youporn.com/youporn-data-not-exposed/>

It was actually the passwords to YP Chat, not Youporn itself. The Yourporn
guys are pretty reasonable engineers and sysadmins, from what I've seen, and
manage user passwords correctly.

Personally, I think in 2012, if you're not using a password manager to
generate and manage unique, strong passwords per site, especially for
"sketchy" stuff like porn sites, you're already doomed.

Also, Presidents Day and other minor useless holidays are great times for
annual rituals like tracking down and changing any legacy shared passwords you
may have. Don't wait for a breach!

~~~
drivebyacct2
The sad thing is, people don't use password managers out of laziness despite
the fact that it actually speeds up all of these processes. One password
unlocks it, one click to login to any of my sites with strong, secure, unique
passwords. Autofills out registration forms and generates a unique password
for me. It's _faster_ than me having one memorized password.

Yet, friends and HN hackers alike have scoffed at my attitude which is roughly
the same as yours. If you're blindly trusting sites with a non-unique
password, it's only a matter of time.

(edit) To get ahead of the repeat replies, LastPass syncs across browser
extensions, encrypt/decrypts locally, can be accessed from any browser even
without an extension and has mobile apps. I've been using it for probably two
years now and I've never not been able to access an account even when using
all varieties of guest computers, iPads, etc.

~~~
outworlder
The thing with password managers is that the most convenient ones store your
data in a server somewhere. And that opens up more issues than it solves.

For the ones that store information in a local file, that could work. But then
a lot of the mobility is lost, even if you use something like Dropbox (you are
not going to sync behind a corporate firewall, for instance). At least my
brain is attached to my head and is very portable, I just have to remember the
damn things.

That said, do you have recommendations?

~~~
rdl
I really like 1Password (but I use only macs for low security laptop/desktop
stuff) -- the browser extension is great, and the iOS apps sync over wifi or
dropbox.

The one thing I'm waiting for is iCloud integration. If they don't provide
iCloud integration, I'd consider other options (including trying to roll-your-
own, maybe using their extensions and spoofing the IPC)

------
pjscott
How many sites need to be humiliated like this before people learn to hash
passwords with something like bcrypt? It's like two damn functions. You just
call them! It's so easy that even a baby squirrel could do it! There is no
excuse.

Until then, I hope everyone is using a throwaway password for accounts that
can be non-disastrously stolen, and using strong unique passwords for the
important ones.

~~~
pbreit
Besides "use bcrypt" I've never really seen decent guidance on how to actually
store passwords (what sort of salt to use, where to store the salt, if and
where to store the hash method, how/where to store the key, etc).

~~~
pjscott
I'll write one for you right now, because it really is as simple as I made it
sound. I'll use the API from py-bcrypt here, but they're all pretty much the
same. When a user gives you their password for the first time, here's what you
store in your database:

    
    
        hashed_password = bcrypt.hashpw(password, bcrypt.gensalt())
    

Store hashed_password in your database for later. Then, when a user tries to
log in, they will tell you their password. You'll need to check that it
matches the hashed_password value you have stored. Here's how:

    
    
        if bcrypt.hashpw(password, hashed_password) == hashed_password:
            print 'Password is correct!'
        else:
            print 'Wrong password.'
    

That's all there is to it. The bcrypt library handles everything else. It is
this simple because if it weren't, people would mess it up.

~~~
dchest
Your verification code is wrong. See <http://codahale.com/a-lesson-in-timing-
attacks/>

Edit: I'm wrong, sorry.

~~~
tptacek
Wait, what? What's the attack you're thinking of here? How would it actually
work?

~~~
dchest
Hah, you're right. It's practically impossible to generate passwords in such
way that they will give hashes differing by only a byte. Sorry, I see timing
attacks everywhere.

~~~
tptacek
Have you actually ever written an exploit for one? It'll cure you of that
problem really fast.

(I'm being serious, not snarky).

~~~
dchest
This is actually a very good advice, especially for people like me who have
hard time visualizing how complex things work. For example, when I tried to
understand what the meet-in-the-middle attack is, and couldn't, it was
incredibly helpful to implement it (<https://gist.github.com/1062437>). Then I
understood.

------
laconian
Kudos on the double entendre in the title, intentional or not.

~~~
verelo
im so glad you noticed this, because it got me laughing but i couldnt decide
if it was on purpose or not either! A good joke on words makes the world a
better place.

~~~
aes
I was thrilled on the self-describing appropriateness of the term "double
entendre" in this context until I found that "entendre" didn't actually mean
"enter" in French. If it would, the term itself would be hilarious.

------
NelsonMinar
Top 10 domains: 1469 yahoo.com / 1071 hotmail.com / 882 gmail.com / 205
hotmail.co.uk / 178 web.de / 136 gmx.de / 127 aol.com / 116 hotmail.de / 115
live.com / 104 hotmail.fr

Top 10 passwords: 110 123456 / 75 123456789 / 30 12345 / 23 melinda / 19 fuck
/ 18 1234567890 / 17 Nightmare / 16 allzen / 15 password / 15 anal

That's of about 6400 records.

~~~
pyre
I'm curious about these:

    
    
      23 melinda
      16 allzen
    

Seems odd that so many people would end up with those passwords. Maybe these
represent multiple accounts by the same person?

~~~
NelsonMinar
You're right, it's mostly just a few people. There are duplicate entries in
the input file I didn't account for.

------
ahel
<http://pastebin.com/yJ8JU45W>

------
Kiro
Everything was on <http://chat.youporn.com/tmp/> completely open to the public
so this is an even bigger screw-up than the fact that they didn't hash their
passwords.

------
joejohnson
Link to the password dump: <http://pastebin.com/ieC6eTB7>

~~~
tansey
Any link to the password dump from the Brazzers attack referenced in the
article?

------
rokhayakebe
Why would anyone sign up for a porn site with their main email address? What
baffles me even more is how some people actually whip out their credit card
and give the digits to a porn site.

~~~
jrockway
_What baffles me even more is how some people actually whip out their credit
card and give the digits to a porn site._

Why? Most of the big porn studios are as trustworthy as any other Internet
business of the same size, and if your credit card number is misused, you're
not liable for the charges anyway. Porn popularized selling DRM-free content
for money long before Louis CK made it popular. Porn actors need to pay their
rent too.

~~~
spindritf
> Why? Most of the big porn studios are as trustworthy as any other Internet
> business of the same size

The probability of a leak may be similar but the downside isn't. It's no
problem whatsoever if your name is linked to cheapprogrammingbooks.com, you
cancel the card, get a new one. The situation is somewhat different for
spermgarglingteens.com.

~~~
jrockway
How? Someone that regularly peruses leaked password lists will know that you
look at porn?

------
aaronpk
Someone should make a site where you sign in with your Gmail account and find
out how many of your contacts have youporn accounts.

~~~
rsanchez1
I wouldn't trust a site like that with my Gmail contacts.

~~~
aaronpk
That was kind of part of the irony :)

~~~
ortatherox
with google's oauth you wouldn't have to give them access to your account ;)

------
te_chris
And all this after all the press about them moving their entire stack to Redis
etc etc. How can a company achieve such an epic technical feat and have shitty
password hashing?

~~~
cstejerean
This doesn't look like a problem with password hashing. This is what happens
when you get careless with debug logging.

------
___Calv_Dee___
I don't understand how this makes it to Top News. I think at this point we are
all well aware that no user-password store is impenetrable or invulnerable and
porn websites would hardly be an exception. If you do not know by now that you
should not be using the same password across multiple accounts, it seems like
there is little hope. There is no lesson to be learned here. Is it not an
implicit assumption that if you subscribe to a porn website someone is mostly
likely going to find out one way or another?

1\. Don't reuse passwords. 2\. Don't subscribe to porn sites if you have
something to lose from someone finding out.

~~~
jarin
I think it is more of a public service announcement, because it is a very
popular site and yes, a lot of people on HN probably use it.

------
jamesu
This has been passed around a certain anonymous messageboard for the better
part of a week now, i'm surprised sophos has taken this long to write anything
about it!

------
shadowed
Bonus: it appears YouPorn has no way to change your password, nor any way to
change (or even see) the email address that is associated with your account.

------
paul9290
Always good to have a throwaway email, username and password for sites like
this and others you care little about.

~~~
simcop2387
I've always used mailinator for this. Makes a great site for that kind of
thing.

------
mycodebreaks
How do passwords get leaked? Does it mean they were stored in plain text?

------
verelo
so who is going to be the first person to parse this out and determine what
the most commonly used password is?

Any bets on asdfghjkl;' ??

 _i think i'll do this tonight_

~~~
theirixhn
Unfortunately there are only 4800 unique users of total 6000 in pastie, a lot
of dups. So recent arstechnica statistics, especially tag cloud by Ashkan
Soltani, is not very accurate. It was very strange to discover generated
'3kpm1858' password as popular. Check it here <http://pastebin.com/f7MUMw6t>

------
uvTwitch
YouPorn: where everything is exposed.

