Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Hack Details Revealed

Posted by CmdrTaco on from the my-password-is-p4ssw0rd dept.

Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced. Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."

11 of 222 comments (clear)

  1. Re:After all of this... by NewbieV · · Score: 3, Interesting

    Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.

    --


    "For every right, an equal responsibility..."
  2. Limit logins without DOS? by Manip · · Score: 4, Interesting

    This is one of my favourite security conundrums.

    How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?

    Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).

    IP Limit - Very easy to bypass with a proxy list.

    Hard Account Limits - Denial of service

    Thus is the problem. How do you limit logins without hurting legitimate users?

    1. Re:Limit logins without DOS? by paulhar · · Score: 3, Interesting

      One way would be to get progressively slower at *processing* a login for a particular user based on the number of failed attempts. I.e. user enters a password, the timer ticks away, and then at the end it really does the test and checks if the password was right.

      You would typically double the time delay with a reasonable limit of say 1 minute so that each failed attempt sticks at 1 minute delay.

      You put up a banner after the delay reaches 10 secs or so saying "Your login will be slower as you have had X failed attempts recently".

      Then elsewhere you limit the number of failed logins from a single IP address to different accounts via a similar method to slow them down trying 100,000,000 accounts with password X.

      Oh, and you internally you check that passwords aren't common dictionary attack words to prevent users from running with knives when they create / modify their account...

    2. Re:Limit logins without DOS? by Phrogman · · Score: 4, Interesting

      Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.

      --
      "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
    3. Re:Limit logins without DOS? by Anonymous Coward · · Score: 1, Interesting

      For my users to log in they have to supply the correct password AND have not failed a password check in the last 3 seconds. If not, they get a "Wrong Password" message either way.

  3. Re:Lack of Hacker Ethics by sexconker · · Score: 2, Interesting

    Anyone trusting blogs, twitter, etc. for news is a moron. Any newspaper, news network, etc. doing the same is run by morons, and should go back to journalism school.

  4. Comment removed by account_deleted · · Score: 4, Interesting

    Comment removed based on user account deletion

  5. Re:Lack of Hacker Ethics by daveatneowindotnet · · Score: 1, Interesting

    Overrated, really? I thought it was hilarious even if it was crude and cynical.

  6. Comment removed by account_deleted · · Score: 2, Interesting

    Comment removed based on user account deletion

  7. Re:Compromise One Password, Compromise Them All by mcgrew · · Score: 2, Interesting

    You don't (probably) use the same key for your house and your care and your safety deposit box

    No, but I wish I could. They're all on the same key ring, after all. If I lost my keys and whoever found them knew whose keys they were, I'd have to change all the locks anyway.

    Another "bad security practice" I do is to keep my passwords written down. That's a no-no in the security field, but it's a stupid no-no. I keep them in my wallet, along with my security code for the building I work in, my money, debit card, and other valuables. Unlike money and cards, the passwords are easily disguised as building addresses (1234 Spring Street) or phone numbers (525-1234). Yeah, posting it on a post-it on the monitor is stupid, but keeping it written down with other valuables allows you a tougher to crack password, one a dictionary attack like the one used at Twitter is impossible. E.g., d5#6*;mtTMbp can't be remembered by anyone but a savant, but if it's written down it can't be forgotten.

    You could also use the title of a book, write that down, and use every n character in the password. For example, Shrew 9 would be SBlatsle which is every ninth character (exclusing spaces) from the introduction to Wm Shakespeare's Taming Of The Shrew.

    --
    Free Martian Whores!
  8. Off topic but important by techprophet · · Score: 1, Interesting

    You all need to ban the IP that keeps posting these. This has been on two stories in the past two days (this being the 2nd). These are vulgar profanities that should offend all people of every color and creed by their racism. I hope the guy who posted these doesn't have any mod points soon because if he does I'm hosed.