Twitter Hack Details Revealed

← Back to Stories (view on slashdot.org)

Twitter Hack Details Revealed

Posted by CmdrTaco on Thursday January 8, 2009 @05:10AM from the my-password-is-p4ssw0rd dept.

Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced. Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."

5 of 222 comments (clear)

Min score:

Reason:

Sort:

Re:After all of this... by NewbieV · 2009-01-08 05:45 · Score: 3, Interesting

Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.

--

"For every right, an equal responsibility..."
Limit logins without DOS? by Manip · 2009-01-08 05:47 · Score: 4, Interesting

This is one of my favourite security conundrums.
How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?
Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).
IP Limit - Very easy to bypass with a proxy list.
Hard Account Limits - Denial of service
Thus is the problem. How do you limit logins without hurting legitimate users?
1. Re:Limit logins without DOS? by paulhar · 2009-01-08 06:02 · Score: 3, Interesting
  
  One way would be to get progressively slower at *processing* a login for a particular user based on the number of failed attempts. I.e. user enters a password, the timer ticks away, and then at the end it really does the test and checks if the password was right.
  You would typically double the time delay with a reasonable limit of say 1 minute so that each failed attempt sticks at 1 minute delay.
  You put up a banner after the delay reaches 10 secs or so saying "Your login will be slower as you have had X failed attempts recently".
  Then elsewhere you limit the number of failed logins from a single IP address to different accounts via a similar method to slow them down trying 100,000,000 accounts with password X.
  Oh, and you internally you check that passwords aren't common dictionary attack words to prevent users from running with knives when they create / modify their account...
2. Re:Limit logins without DOS? by Phrogman · 2009-01-08 06:19 · Score: 4, Interesting
  
  Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.
  
  --
  "The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Comment removed by account_deleted · 2009-01-08 06:31 · Score: 4, Interesting

Comment removed based on user account deletion