Slashdot Mirror

← Back to Stories (view on slashdot.org)

OAuth, OpenID Password Crack Could Affect Millions

Posted by Soulskill on from the letmein-123456 dept.

CWmike writes "Researchers Nate Lawson and Taylor Nelson say they've discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into websites such as Twitter and Digg. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords. This may all sound very theoretical, but timing attacks can actually succeed in the real world. Three years ago, one was used to hack Microsoft's Xbox 360 gaming system, and people who build smart cards have added timing attack protection for years. The researchers plan to discuss their attacks at the Black Hat conference later this month in Las Vegas."

4 of 304 comments (clear)

  1. Re:Seriously? by owlstead · · Score: 0, Troll

    ON MODERN CPU'S THAT ARE RUNNING A COMPLETE WEB-SERVICE, YOU DON'T CARE, NOT EVEN ABOUT THE FUCKING CONTEXT SWITCH. 1990 CALLING, THEY WANT THEIR ASSEMBLY LEVEL OPTIMIZATIONS BACK.

    Yea gods, does this hole thread consists or idiots or what?

  2. Re:Who doesn't hash/encrypt passwords? by roman_mir · · Score: 0, Troll

    Oh, and you still are repeating the same idiocy as everybody else here saying that storing salt with hashed passwords is more secure than not.

    Can you count numbers? Count this: what's the difference between knowing the hash value of a password without salt and knowing hash value of a password that has salt AND knowing the salt? Do that math, you'll figure it out eventually that there those values are the same.

    --
    You can't handle the truth.
  3. Re:Who doesn't hash/encrypt passwords? by roman_mir · · Score: 0, Troll

    You are a snake oil salesman who stairs at the obvious truth and refuses to admit being wrong and you are projecting this trait onto me.

    --
    You can't handle the truth.
  4. Re:Who doesn't hash/encrypt passwords? by roman_mir · · Score: 0, Troll

    Once again you are avoiding to answer this simple question, because you know there lies the truth and you can't have it.

    Why is storing a hash of a password less secure than storing a hash of a password and storing a salt for it?

    Don't answer, you can't, you are programmed not to be able to answer this, in the face of the obvious inconsistency you shy away from thinking about it falling onto a pre-programmed reaction.

    It is also funny how you believe that this specific issue is going to lead to my systems 'getting owned' without knowing anything about my systems. Thus another pre-programmed reaction, which is also nonsense and it leads me to conclude that you are useless and I wouldn't have you anywhere near my systems.

    --
    You can't handle the truth.