
I Just Logged In As You: How It Happened - sant0sk1
http://www.codinghorror.com/blog/archives/001263.html
======
Sidnicious
In other words, the attack was nothing new or special: if you use the same
password in many places, they're all in the same "pool". If one is
compromised, they're all compromised. It's ironic (and stupid) that Jeff
Attwood's OpenID — which is supposed to obsolete passwords — was compromised
like this.

The lesson's simple: before you re-use a password think about what's in it's
pool, and for fuck's sake use a unique password for OpenID and your password
manager.

~~~
jf
Or better yet, don't use a password at all: Use a client-side SSL certificate.

Set your password to something random, and use a client-side SSL certificate
to authenticate yourself to your OpenID provider. You can use the password
reset feature if you lose your SSL certificate.

I've got instructions on how to do this on my website here:
[http://joel.franusic.com/How-to-set-up-a-client-side-SSL-
cer...](http://joel.franusic.com/How-to-set-up-a-client-side-SSL-certificate-
on-myopenid)

------
jpeterson
Reading Jeff's blog is like watching a big budget Michael Bay/Jerry
Bruckheimer production of... an old guy playing solitaire. Huge wind up and
little payoff.

~~~
badger7
But, but, but... he just put a three on a four, after building suspense for
the _whole_ week! How can you be so flippant?

------
axod
About 12 years ago or something, I used to chat on a 'talker'. Telnet
talker.thevillage.something:8833 or similar. You had a login etc, and it was
good fun.

So, I started learning about network programming etc, and built my own talker.
Registration etc etc. I got quite a few people to register on it, and was
surprised when I realized they were just using the same login details as they
used on the 'main' talker we talked on.

So I logged in as one of them on the main talker and impersonated him... got
banned for a bit. It really is surprising how easily this is done. (I was
young, and foolish).

"Hey can you just try out this webapp for me? register here." <\-- Always use
a 'throwaway' login.

~~~
derefr
I just had a brilliant idea (or, at least, I'd call it brilliant if it were
foisted upon me): a demonstration of the true possibilities of phishing, in
real-time AJAX in front of users' eyes. Have a one-page lure for an attractive
webapp, with registration right there on the front page ("all you need is a
username and password!")

When you put in your details, however, instead of doing any "registration", it
works for a few seconds in the background, and then pops up a box listing all
the sites it just logged into successfully using that username/password
combination. As long as it's done by someone reputable enough that users won't
think they actually got their password recorded by the server (Microsoft?
Bruce Schneier?) it could be a very successful educational technique.

------
patio11
Corrections to post:

1) Palin's password was not compromised directly. Instead, the backup "private
security questions" had answers which were in the public domain -- such as
"name of your high school" -- to a sufficiently dedicated adversary. (There
are four in Wasilla. Sort of narrows the search space a bit versus trying to
brute force a password, right?)

2) This doesn't prove OpenID is a good idea, at all. Let's review facts: the
site which was compromised _uses OpenID_ and presumably an OpenID provider
which has bulletproof security. The problem with this is that, for most users,
the vulnerability is not the strongest provider but the weakest one, since
they share credentials everywhere. Equivalently, you could say that the
weakest link is the user. (Even on an Internet where EVERY site used OpenID,
most users would fall for a compromise-anywhere-compromise-everywhere phishing
attack.)

~~~
jmillikin
According to the article, the site which was compromised does _not_ use
OpenID.

~~~
jcl
There were two sites that were compromised. The first did not use OpenID; it
stored an unsalted hash, which lead to the compromised password. The second
compromised site -- StackOverflow -- uses OpenID. It was compromised because
Jeff used the same password on both sites.

Patio11's point is that this is common user behavior, so OpenID doesn't offer
any better security than its weakest point, which becomes sites _not_ using
OpenID but storing the same password as OpenID. I have to disagree, though:
The alternative to OpenID is many more login/password pairs, which has exactly
the same problem to a worse degree: too many passwords to remember, so the
users reuse them.

~~~
jmillikin
StackOverflow wasn't compromised, Atwood's password was. The actual site that
password is entered into is irrelevant. If this is a compromise of SO, then
banks are compromised every time somebody steals a credit card.

~~~
cookiecaper
If that credit card had access to all of the funds in the banks, then you
would be right. Atwood has an administrator's account on StackOverflow, and
presumably administrator powers.

------
blasdel

      Oh, and for those who claim my password was a dictionary
      word, and thus this is a de-facto dictionary attack. Well,
      I just went to http://www.merriam-webster.com/dictionary/
      .. and entered my old password there:
    
      "The word you've entered isn't in the dictionary. Click
      on a spelling suggestion below or try again using the
      search bar above."
    
      Like I said, it *ain't a dictionary word!* It might be in
      cracking tables somewhere, but it isn't a dictionary word,
      at least not of the type you can use in Scrabble without 
      getting challenged..
    

Uh, Jeff? If you password isn't long, it's going to be in the rainbow table,
no matter how complex. Nobody uses their machine to hash the lines from
/usr/share/dict/words anymore! They just download a highly-compressed rainbow
table, which will have every non-dork password in it.

------
imp
So the summary is that he got hacked because he reused an insecure password
for his administrator account on SO. The guy who logged into his account seems
to have broken ethical and legal obligations to the original website that he
got the password from.

~~~
boundlessdreamz
Hmm..not so black and white I think. He helped out Jeff and there was nothing
malicious done. If I was in Jeff's position I would be thankful.

------
snorkel
I don't understand how the attacker got his hands on the MD5'd password? Does
Open ID expose that data to anyone?

~~~
jameskpolk
He didn't. The attacker helped out with a site that didn't use OpenID and
doesn't salt their passwords.

And Jeff used an insecure password on both the "evil site" and his Open ID
provider.

The attacker only had access to Jeff's hash because he had access to a site
that Jeff used.

~~~
zmimon
To be explicit: the attacker was given trusted access to the password database
on another site and violated that trust. The fact that the site used poor
security and that Jeff was stupid enough to use the same password in two
places doesn't mitigate it.

I was expecting the answer to be that Jeff somehow revealed his real password
publicly somewhere, not that this idiot stole it from a database that he had
trusted access to.

This would be grounds for instant dismissal or even legal action in my book.

~~~
dinkumthinkum
But that's irrelevant once your identity is stolen.

~~~
zmimon
It might be irrelevant to Jeff, but it wouldn't be irrelevant to me if I was
the one employing this person to work on my web site.

------
lallysingh
This sound about right?

Add a column named 'salt' to USER, then the PASS column=PASSWORD(salt+'text');

~~~
ComputerGuru
PASS column = MD5(MD5(plaintext_pass) + salt)

SALT column = salt

Is the way used in most distributable web applications.

~~~
jf
I think what you actually want is:

PASS column = HMAC(plaintext_pass, salt)

I might be wrong? As I understand it there are issues with MD5(MD5(password) +
salt) that HMAC avoids. I'm still not 100% sure I understand the difference,
but I think that is what the wikipedia article on HMAC is saying:
<http://en.wikipedia.org/wiki/HMAC#Design_principles>

~~~
judofyr
HMAC is mostly useful when you want to verify that some text hasn't been
altered. The client sends message + HMAC(message, secret) and then the server
(which also knows the secret) can verify that no-one has changed the message.

Dunno if it helps anything when it comes to salting. Anyone else who knows?

