Syrian President's Emails Hacked - Password 12345

[TheAnimus]

http://www.techdirt.com/articles/201...as-12345.shtml

Seriously.

[Saracen]

Hmmm. I'd have guessed at "open sesame".

[Biscuit]

or "guest"

http://www.youtube.com/watch?v=UduILWi2p6s

[Saracen]

On a forum I ran many years ago, I did a database search and it was astonishing how many people used "password" as their password. And "open sesame" ran it a fairly close second. Mind you, that's a trivial forum, not a head of state's email account (allegedly).

[MadduckUK]

On a forum I ran many years ago, I did a database search and it was astonishing how many people used "password" as their password.

no, that's not the astonishing thing here.

[dave87]

On a forum I ran many years ago, I did a database search and it was astonishing how many people used "password" as their password. And "open sesame" ran it a fairly close second. Mind you, that's a trivial forum, not a head of state's email account (allegedly).

You stored passwords in plaintext?

[Saracen]

no, that's not the astonishing thing here.

It was the astonishing thing there. The point, by the way, was to assess the situation prior to tightening security, which subsequently forced a password change and precluded the more obvious ones.

[Saracen]

You stored passwords in plaintext?

Nope. They were stored as MD5 hashes. But if you MD5 "password" and do a database search on that value, you got a list of hits. And by the way, I didn't write the software, or determine how it stored passwords, or have any control over how it did it. It was a commercial product.

[dave87]

I did think that might have been what you'd have done, but there was the niggling doubt mind....

[TheAnimus]

Single MD5, un-salted? Amazing how many people think "job done"...

[finlay666]

Nope. They were stored as MD5 hashes. But if you MD5 "password" and do a database search on that value, you got a list of hits. And by the way, I didn't write the software, or determine how it stored passwords, or have any control over how it did it. It was a commercial product.

You didn't salt your hash?

Must be back in the day, anything less than a salted SHA256 is considered insecure by many techies I know as it's easier (especially in asp.net) to hash with md5/sha1 instead of taking the effort to build a hashing system for sha256/512 that can incorporate a salt.

TheAnimus: We picked up a project for a large legal client, all their clientel passwords were stored in plain text, banking details too, it was a sony scale fail (the excuse from the previous dev was that it was not externally facing...)

[Saracen]

You didn't salt your hash?

I didn't pepper or vinegar it, either.

As I said earlier ....

1) It was "many years ago"
2) I didn't have any control over how commercial software stored it's passwords.

The software did it how the software did it, and that was that. I didn't write the stuff. I just used it.

[streetster]

or "guest"

http://www.youtube.com/watch?v=UduILWi2p6s

I guessed the reference before clicking the link -- gotta love Archer