The Daily Click ::. News
 
Security
News posted 3rd June, 2003 by ShadowCaster  
Hi all :) It's me, your friendly DC administrator here with a message about keeping your accounts secure.

Your probably wondering what I can tell you that you dont already know? Considering the "hack" yesterday was against an administrator here, it goes to show that even the people who are working behind the scenes in the community can get things wrong every now and then.

You'll notice that I put "hack" in inverted commas. This is because there are several methods for retrieving passwords used on a website that doesnt really require any skill, and last night, it was one of these methods that was used against us.

The first method seems rather obvious once you know about it, but it may not have crossed your mind. Let me just say that not everyone that runs a community site (nor the administrator's that they've chosen) may be trustworthy. For people with appropriate access, it is easy to find out a users password. So if you use the same password on DC that you do another community site, it's extremely easy for someone to exploit that and access your account simply by finding out what your password is on their own site.

The second method is a "brute force" attack. This simply means that, while no real hacking methods are used, what is done is a user will run a program that constantly tries to login to a website using many different passwords until it finds one that works.

So how can you minimise the chance of being "hacked"? First of all, use different passwords for different sites. Secondly, use long passwords which use special characters such as numbers and symbols. As brute force attacks can check only a small number of passwords at a time, the longer and more complex you make your password, the harder it's going to be for the brute force program to find out what it is.

So I urge everyone here to take these precautions, because if someone get's hacked after this warning I'm not going to try and retrieve their account like I did this time around, instead I'll just remove the account completely. So take care with your passwords; make them different, make them complex.

~Mike

Additional: All site administrators have had their passwords reset. To access your account, please email me here.




Posted by DeadmanDines 3rd June, 2003

The best method I find is if you whip open Character Map and find a character or two that are NOT used routinely by any language - so that could be , , , , , , , , or similar ones, but NOT , , , , , . This is because, for example, if your 'hacker' is English, they'd need to know the code for the German double-s() in order to type it, but if they're German, they just press a quite clearly marked key combination, such as perhaps ALT+S. It's best if you memorise the alt code for your character too, and then integrate that in your password. Already you now have otherwise meaningless numbers and a funny symbol in your password. An example would be 0182 - the paragraph symbol, which is - yep you guessed right - alt+0182. You can then combine that with a code that no one but you could possibly know. What does it say on the back of your bus ticket, for example? What's the number below the barcode of your favourite crisps? Things that could have meaning for you, but no one else. Think back to your childhood - are there any 'secret codes' or 'passwords' you used to use with your friends? Perhaps you memorised your membership number to a certain club? Mingle whatever code you choose in with the code we previous decided. So now, if we imagine that my bus ticket says BR-DEY-BUS-095, then you could make a simple and effective password just out of: BR-0182DEY-BUS-0182095 Practice typing it a few times, and you'll get very used to using the alt+whatever key combination for the special characters.
 
Posted by DeadmanDines 3rd June, 2003

(continuing from the above) DO NOT USE REAL WORDS. The only times I've ever been hacked is when I've used real words or names, rather than codes. Your code should also be interrupted, as the above one was, by other info. Here's another example: Say that the date you joined was 21-05-2003, and your mother's maiden name was Higgins, and your favourite cereal pack has a barcode of 006582707BE. 00-IHGGNI_S21052003-6582-707BE0182 Notice that the word 'Higgins' is in uppercase, and has every two letters switched. So HI becomes IH. If the word is one character short, use another symbol as the spare character - in this case an _underscore_. See how 'Higgins' becomes 'IHGGNI_S'? There are billions of possible choices you could do simply by mingling multiple odd bits of data together.
 
Posted by RapidFlash 3rd June, 2003

Could you make something where if someone tries to log in ten times with incorrect passwords they cannot log on on their computer for the rest of the day? and are good keys, too.
 
Posted by HOSJ 3rd June, 2003

Now who the F#% did this??
 
Posted by Eric 3rd June, 2003

How about if they are just logging on from an IP address thats not usual for them, ask them a preset question that they have come up with? But nevermind, that would seem easier to hack since it obviously has to be a word of some kind.
 
Posted by DeadmanDines 3rd June, 2003

I personally recommend an extensive log be made for each time someone gets the password wrong, as well as the exact time according to the server. That way you can tell the frequency of each attempt, which users they're trying to hack, etc. Maybe also the difference in ascii values of each attempt by the same user? This would be able to tell you if it was just trying one key, then another, then another and so on, without it logging the actual password entered. After all, imagine if you missed off a character once by accident! Your password minus just one character would now be logged, creating a huge security risk. But I think a general, detailed log would be good.
 
Posted by Steve Harris 3rd June, 2003

Hmmm I think i'll need one guess to guess who did this...
 
Posted by Aali [Crazy_Productions] 3rd June, 2003

is a good character, it has a special key on swedish keyboards which is quite stupid coz we never use it :) ( is good too, and easy to type in)
 
Posted by Joe.H 3rd June, 2003

Welcome back to all ye admins.
 
Posted by Villy 3rd June, 2003

Push the button!
 
Posted by Matt Boothman 3rd June, 2003

Try use numerals, symbols and letters (both cases).
 
Posted by DBack 3rd June, 2003

I've never heard "inverted commas" before
 
Posted by Kris 3rd June, 2003

' is an inverted comma. " is a speech mark
 
Posted by Joshtek 3rd June, 2003

Dr. evil was the one who created "quotation fingers" ;)
 
Posted by RapidFlash 3rd June, 2003

Or you could do a bunch of random Alt+### combos e.g. is Alt+789
 
Posted by Smeggy 3rd June, 2003

LOL, "time-machine" or "LASER" or "DEATH STAR" LOL :P
 
Posted by Smeggy 3rd June, 2003

Minime fire the "LASER"
 
Posted by ShadowCaster 3rd June, 2003

Aali: Just for the sake of saying things, isnt a swedish character as far as I know. At least where I'm from the symbol is shorthand for "Section" or "Chapter", etc. So if you have some text instead of saying "see chapter 7" you can just say "7".
 
Posted by - Yelnek - 4th June, 2003

Pig latine I believe could fool most programs no? I want to test this theoir some time ;) Instead of JackOffInOn as yur past you couls have... AckJayffOaynIaynOay
 
Posted by Muz 4th June, 2003

LOL, I use very easy to guess & remember passwords but so far, nobody has been able to find em. I've been threatened by Clan Horse and a an anti-Muz society, and I haven't been hacked. My secret? Use a bunch of words close to you, jumble em up, then add em up so your total password is at least 20 characters long :P. If you're as paranoid as I am, just add a simple number of something important (like 666 or 911) to the end of it. And you can even add a special character like Dines said. Hence, you get a very easy to use password, get to remember lotsa different passwords on different sites, and you're safe from most brute force hackers.
 
Posted by Mohr Stoutbeard 4th June, 2003

Aww, how cute. Muz thinks he's people.
 
Posted by Mohr Stoutbeard 4th June, 2003

Bada-kssh.
 
Posted by Aali [Crazy_Productions] 4th June, 2003

SC: why's there no such key on US/UK keyboards then?? (guess i'll just use then ;))
 
Posted by Aali [Crazy_Productions] 4th June, 2003

abcdefghijklmnopqrstuvwxyz (all the swedish chars, if anyone's interested :P)
 
Posted by RapidFlash 4th June, 2003

Kenley Browne: My brother's friend's friend did something like that with encryption. He said that all the guy did was switch the first bit of code with the second bit (not really a "bit") (more than two parts), and no one was able to crack his encrytpion.
 
Posted by ShadowCaster 4th June, 2003

Aali: I didnt say you dont use the character, I'm just saying it's not, by definition, a swedish character. Alebrain: if all he is doing is switching 2 bits around, then 1/3 of the time it's going to be the same. Do you mean characters or something? From memory a character is 2 bytes (16 bits).
 
Posted by Plasticow 5th June, 2003

Anyone who begins blamming ChrisD, Texmo, Clanhorse or anything associated with them will receive a fist full of penis. Mine.
 
Posted by ShadowCaster 5th June, 2003

The IP that was logged (yes, we log everything) doesnt lie, Plasticow.
 
Posted by Muz 5th June, 2003

Proxy?
 
Posted by RapidFlash 5th June, 2003

My bad, I just thought of Clam Horse. ShadowCaster, it wasn't 2 bytes, it's two parts of code, e.g. "Hello Johnson Red." would be "Johnson Hello Red.". And remember the quote from Hackers: Joey: "You don't teach me anything." the phreak: "That's not true. What are the three most common passwords?" Joey: "Love, secret and sex." Emmanuel Goldstein: "Yeah, but don't forget god. System adminstrators love to think they're God." Lesson: don't use any of the passwords above or any password that is like "homersimpson" or "madonna".
 


 
Author Info

ShadowCaster
Possibly Insane

Registered
  02/01/2002
Points
  2203

Advertisement

Worth A Click