RockYou password snafu exposes webmail accounts Millions of user passwords to social networking sites have been exposed, after a serious SQL injection flaw on the Rockyou.com website left login details - stored in plain text - up for grabs. RockYou - which develops apps for social networking sites including Facebook, Bebo and MySpace - stored usernames, passwords and email …
Even storing encrypted passwords is an unnecessary risk, when there's a simple solution - calculate a standard hash and store that for comparison with one generated each time the password is entered.
I used this process on a mainframe SSO system I wrote 20 years ago (in COBOL, like anyone cares) for heaven's sake.
AFAIK RockYou store your myspace etc password so that they can log into your account and post, so a hash, salted or otherwise would be completely useless to them. They should clearly have encrypted them though, which would be more or less as effective as a salted hash, and would be far better than a simple md5 hash.
"The users are young and security is not top of their minds"
How could that be?! Those same youngsters are doing massively BETTER than their predecessors of previous decades by passing all their A level exams at greatly higher marks, going to university, then doing REALLY useful MBAs at the world's best business schools, working for the world's BEST and most useful companies!
DOH!
DOH!
DOH!
DOH *100 to the power of googel
OMG, I just had discussion with a colleague last night about how our late teen / early 20's kids are in Uni and somehow despite being nice, charming, passing exams....do not have an ounce of common sense or awareness of the real world!
How did we fail, or how did the school fail in allowing them to be developed in cocoons!? What were they thinking (or were they sleeping) to use the same password for different sites?!
I read somewhere that fluoride was added to water by the Germans in WW2 to make the POWs docile and compliant! OMG, that would explain a thing or two!!!!!!
Why do some sites and developers cut corners like this. Surely anyone with an ounce of sense knows it's not worth the risk.
I'd never heard of this RockYou thingy before today, Now of course I know of it, for the wrong reasons. DUH!
Mines the one with all the plain text user log-ins spewing out the pockets!
I hope you're salting them!
The hash is part of the solution, but without adding a salt it's only marginally safer than plaintext: it's easy to precalculate a few milliion passwords and compare them to any hashes you retrieve.
Add a couple of random bytes to the password before hashing, and store those bytes with the hash so you can reuse them when you're generating a hash for comparison. This increases the search space by a cool 65,536 times and makes precalculated "rainbow tables" less useful.
When I went and signed up for a facebook account(*) it asked me if I'd like to enter my hotmail username and password so it could spam all my contacts list with invites for me. I couldn't believe my eyes. Of course I didn't do it. The whole point of a password is that it's something that *only* you and hotmail know. If you tell it to someone else that's completely ruined it. You don't tell your password to a third party EVER, just like you don't ever give anyone the PIN number for your cash card.
It's also a blatant ToS breach at pretty much every provider I'm aware of to disclose your password, and the big providers should have taken action to stamp out this practice the moment it began. If I was running hotmail or gmail, I'd have them detect any of these automated spamrun logins coming from facebook's or rockyou's (or whoever else's) servers and use it as grounds for termination (both because of the password disclosure, and because it's unsolicited non-opt-in bulk-emailing and frankly also because handing out your friends email addresses to other people without their permission is an asshole way to behave to them). That would stop this stupid and insecure practice dead in its tracks.
(*) - and no, I am not interested in discussing the other unrelated privacy issues surrounding social networking in general, this thread is about giving your passwords to third parties.
What no-one seems to have asked or answered is why the developers of the sites HAVE the user account data... Why would they even need this information, except indirectly during a live migration. Surely the developers would develop and then roll out the results to a live system nominally belonging to say facebook and only that system would have its passwords in it!
Or is this what the story means? The implication is that the passwords were accessible at rockyou and not a say facespace.
Obviously total fail for plaintext on any system - Blimey even /etc/passwd has better protection & functionality than that!
...as it says in the TechCrunch article, RockYou had those people's account data because people entered their passwords into RockYou's systems, both in order to set up separate RockYou accounts linked to their Facespacemybook accounts, and in order that RockYou could log into their mybookfacespace accounts to spam their friends on their behalf. In the first case they often used the same passwords for both accounts, which was a) careless of them and b) negligent of RockYou to store the passwords insecurely, but in the second case where RockYou was soliciting users to give up their passwords for third-party sites, RockYou's behaviour is actually serious misconduct.
A famous book still well worth reading. The author's premise was (is) that throwing manpower at a software development project is counterproductive because the necessary channels of communication become overloaded: multiply the workforce by a factor of two, and see the necessary communications go up by a factor of four.
Brooks plumps strongly for the "chief programmer" paradigm wherein underlings only develop according to explicit directions from the head honcho. In the context of the matter at hand, it's clear that no one at RockYou was really in charge of the development effort - at least not anyone who knew what they were doing and understood that security is the single most important issue in development of interactive websites.
What I smell in all this is the usual MBA bullshit that views worker drones as interchangeable cogs in the mechanism. Thus, security issues are liable to default into the lap of some inexperienced dude who doesn't really understand them.
Without a single point of control over critical system details, any development effort is very likely to fail - as has happened in this case.
Oh, and before I forget it, let me utter that revolutionary cry "to the wall with the MBAs!".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
