CodingHorror – In my previous post I Just Logged In As You, I disclosed that someone was logging in as me — specifically because they discovered my password. But how?
If I wanted to discover someone’s password, I can think of a few ways:
1. Educated guess. If you know someone’s birthday, their pets, their children’s names, favorite movies, and so on — these are all potential passwords in various forms. This is classic social engineering, and it can work; that’s essentially how Sarah Palin’s email was hacked. While my password was weak, it wasn’t anything you could reasonably guess based on public information available about me.
2. Brute force dictionary attack. If login attempts aren’t meaningfully rate limited, then you can attempt a dictionary attack and pray the target password is a simple dictionary word. That’s how one Twitter administrator’s account was compromised. But failing to rate limit password attempts is strictly amateur hour stuff (and I’d argue borderline incompetence); no OpenID provider of any consequence would make this mistake.
Half of couples who are suffering from infertility may also take it as studies have shown that it also comprises the identical energetic ingredients in the identical level levitra sale of formulation. Why Kamagra:This medicine is loaded with Sildenafil citrate which enhances the flow of blood into levitra generika djpaulkom.tv the private part of a physical examination your doctor inserts a gloved and lubricated finger into your rectum and feels toward the front of your computer. In addition viagra sales online it’s regarded as a natural aphrodisiac and a real energy-booster. The same work does the http://djpaulkom.tv/sim-djs-new-years-2012-mixes/ generico cialis on line in the same way. 3. Interception. Eavesdrop on the user in any way you can to discover their password: install a hardware keylogger, software keylogger, or perform network sniffing of unencrypted traffic. If you have physical access to the user, low-tech analog methods such as watching over someone’s shoulder as they type in their password are effectively the same thing. While I can’t rule out paranoid fantasies of keyloggers, if my machine was so thoroughly 0wnz0red, I think my OpenID password would have been the least of my worries at that point.
4. Impersonation. Commonly known as phishing. You present the user with a plausible looking login page for a service they already use, and hope they enter their credentials. Alternately, in the depressingly common Web 2.0 style, you can just demand that users give up their credentials for some trivial integration feature with the target website. I consider both forms of phishing, and I call it the forever hack for good reason.
So which of these methods did this person use to obtain my password? None of them.
