
Mark Zuckerberg's Twitter and Pinterest password was 'dadada' - alexwoodcreates
http://www.theregister.co.uk/2016/06/06/facebook_zuckerberg_social_media_accnt_pwnage/
======
ff10
I mean... maybe it's non-trivial passwords that held me back in life

------
6stringmerc
I guess he really liked that Volkswagen commercial?[1]

[1]
[https://www.youtube.com/watch?v=jdccNAOvPHg](https://www.youtube.com/watch?v=jdccNAOvPHg)

~~~
Fiaxhs
You read the article about Subaru and lesbians, right?

~~~
6stringmerc
I sure did! It was a great study and quite fascinating from a marketing
perspective.

I do remember in middle school (a religious one) a classmate got in trouble
(detention?) for loudly wondering if the Biology teacher and softball coach in
her 30s with short hair and drove an Isuzu Rodeo might be a lesbian.

------
Guildpact
Why did the article state that this is a problem even if one is using 2FA?
Even if you reuse passwords, 2FA would stop most attacks it seems or slow them
down incredibly, where you would be alerted to the multiple attempts to guess
the 2FA code before it was actually cracked.

------
lgrapenthin
This reminds me of Gabe Newell whose password was "gaben" when Hackers
announced gold status of Half-Life 2 early.

------
expertentipp
Who would have guessed he is a dadaist.

~~~
_pmf_
Facebook is full of accidental dadaists.

------
astazangasta
Can someone explain to me why we are still using passwords? It's not like we
don't have better technology. Why can't I just authenticate everywhere with a
signed token? What's standing in the way of this?

~~~
tlrobinson
Passwords are simple and convenient. Everyone basically understands how they
work, and you can keep them in your head (not that you _should_ ).

EDIT: I'm not saying passwords are ideal, just giving context as to why they
haven't been replaced.

~~~
astazangasta
Passwords are NOT simple and convenient, they are cumbersome and hard-to-
remember, cause huge security problems, and are basically only standing on top
of the crutch of email forgot-your-password systems.

~~~
tlrobinson
Yes, _good_ passwords are hard to remember, and bad or reused passwords are a
security risk, but conceptually passwords are way simpler and more convenient
than the alternatives, for the average user.

All I need to login from any device in the world is my password. As soon as
you introduce tokens or private keys or whatever you need something to
securely store that, most likely protected by... a password.

I can imagine some crazy implant + biometric authentication scheme but we're a
long ways off from that sort of thing being universally accepted.

~~~
astazangasta
I keep an ssh key on a USB drive on my keychain. The physical analogy to a key
is easy to grasp and totally appropriate. You don't expect to get into your
house without your keys; similarly, if we turn the key into a physical object
on your person, we can build off an existing habit. I don't think this should
be terribly difficult.

------
continuations
Does this mean LinkedIn stores unencrypted passwords? That's pretty hard to
believe.

~~~
benmmurphy
It means passwords like dadada can be reversed from hashes.

~~~
continuations
Not if it's salted, no?

~~~
misterrobot
It wasn't salted, but even then a targeted effort could almost certainly crack
a password as bad as dadada almost immediately for a fast hash like sha1.

~~~
continuations
That's what I find hard to believe though. LinkedIn, a $20B giant, doesn't
salt its passwords and uses something as weak as sha1? I would expect even a
1-person startup to do better than that.

~~~
phpnode
That doesn't need to be true for this to have happened. Zuck is a high profile
target, probably the hackers just prioritised cracking his account and such a
weak password would be found reasonably quickly even using bcrypt

~~~
EGreg
Can you prevent targeted attacks, or is salting the state of the art?

What if the salt was derived from a key the user had to supply and wasn't
stored anywhere?

~~~
jdmichal
Salting has zero effect on the targeted cracking of a single password. Salting
protects against rainbow tables - sets of pre-calculated hashes plain-text to
passwords. These are dangerous because an attacker has a large amount of time
to pre-calculate hashes, but (hopefully) only a small amount of time to
calculate after a dump before the password is changed. However, if you are
starting from scratch and have a single password to crack, there's no
difference between a salted and unsalted password.

Modern state of the art for targeted attacks is to use slow hash algorithms,
such as bcrypt. They have little effect on normal operations, as most users
will get the right password within a few tries, so you're adding a negligible
amount of time per user. But the extra time has a huge effect when an attacker
is trying to calculate millions of hashes for a single user.

~~~
EGreg
Just out of curiosity, how is sha composed with itself 1023 times worse than
bcrypt? Is it because bcrypt is also memory bound?

------
kelukelugames
I wish facebook execs would come back to Twitter and other competing social
media. Facebook seemed to have issued an executive ban a few years ago and
they all went silent.

Disclaimer: this is personal observation.

------
zerooneinfinity
Someone should try badadada -
[https://www.youtube.com/watch?v=CQQlCGHOBGI](https://www.youtube.com/watch?v=CQQlCGHOBGI)

------
zAbso
I'm more surprised that linkedin stores passwords so unsafe considering the
type of people that use their services

~~~
talmand
At this point I'm more surprised when I hear about a major company with a
large user base being secure.

------
0xmohit
Prediction: 'dadada' would feature in the next most passwords list.

------
tlrobinson
Perhaps it just shows how little he cared about competing social networks?

------
ff10
I'm hearing Stefan Remmler suing for 1 Billion. Hahaha

------
curiousgal
Funny, my Facebook passowrd is actually 'adadad'

