Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Breach Reveals 100k IEEE.org Members' Plaintext Passwords

Posted by timothy on from the pretty-pictures-ugly-facts dept.

First time accepted submitter radudragusin writes "IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available, but I took the liberty to analyse it briefly."

12 of 160 comments (clear)

  1. Finally! by wonkey_monkey · · Score: 4, Insightful

    Some actual news for nerds, and from the horse's mouth. And graphs and everything. Love it.

    --
    systemd is Roko's Basilisk.
    1. Re:Finally! by Anonymous Coward · · Score: 5, Insightful

      Yeah, but the "most used passwords" should really be a bar graph not a line graph. It's not like the midpoint between "ADMIN123" and "IEE2012" makes any sense.

  2. Well... by fuzzyfuzzyfungus · · Score: 5, Funny

    Does this make plaintext password storage an IEEE standard now?

    That could save an, er, friend of mine, a lot of work...

    1. Re:Well... by tangent3 · · Score: 5, Informative

      Disclaimer: I've RTFA'ed

      The passwords were not stored in plaintext.
      However, the web server access logs logged the passwords entered in plaintext. That was what was downloaded from a publically access ftp folder.

  3. AFAICT IEEE didn't warn its members yet... by Anonymous Coward · · Score: 4, Interesting

    Why do we need to learn this from the newspaper?

  4. Secure password message falls on deaf ears by Tridus · · Score: 4, Insightful

    You'd think that people involved with the IEEE are a group that should know better, and yet the most common passwords according to the analysis reads like the usual suspects list from other breaches. They're still common, easily guessable passwords. Hashing wouldn't have protected them very long, as these are on the short list for any cracking program to test.

    It should be a wake up call that our current methods of trying to get users to pick secure passwords are a total failure. We need to go back to the drawing board and figure out a better way to get the message across, including tools to make it easy for people to get it right.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    1. Re:Secure password message falls on deaf ears by MadKeithV · · Score: 5, Funny

      . We need to go back to the drawing board and figure out a better way to get the message across, including tools to make it easy for people to get it right.

      Maybe it would work if we could get a battery-powered horse to staple the correct message to people.

    2. Re:Secure password message falls on deaf ears by tlhIngan · · Score: 4, Interesting

      You'd think that people involved with the IEEE are a group that should know better, and yet the most common passwords according to the analysis reads like the usual suspects list from other breaches. They're still common, easily guessable passwords. Hashing wouldn't have protected them very long, as these are on the short list for any cracking program to test.

      It should be a wake up call that our current methods of trying to get users to pick secure passwords are a total failure. We need to go back to the drawing board and figure out a better way to get the message across, including tools to make it easy for people to get it right.

      The question becomes though - what benefit does it do me to have a strong password on sites I don't value?

      Like say, /. - why not use "password" or "123456"? If someone breaks in, BFD.

      Likewise, many forums and blogs require registration to do basic things - seems like "password" or "123456" is useful for a one-time throwaway account.

      The IEEE has a similar problem. Sometimes it protects great assets (member-only access to papers/journals/standards), othertimes, it's used because some guy wanted the 802.x spec (available for free, registration required), in which case they'd just pick some throwaway password because so what if it's compromised?

      And that's the thing - I've seen websites host some files I wanted require changing passwords every 30 days with upper case, lower case, numbers AND symbols. Secure, sure, but everytime I used it (every few months), I needed to reset it. In the end I just ended up using their temporary password, remembered in browser. To me, it wasn't terribly important files (they still needed a license key, available separately). Hell, if I looked, I could've found the same files off a torrent site.

      Oh, and "value" of a site is a personal judgement - if you asked a bunch of websites, you'd find they'd value their content "above average".

  5. Re:For God's Sake by xxxJonBoyxxx · · Score: 4, Informative

    >> when are we going to all start hashing and salting passwords?

    Please RTFA. The exposure wasn't in password STORAGE, it was in password LOGGING. (The stored passwords may already have been hashed and salted for all we know, but the FTP server was writing them to log files out in clear text!)

  6. Re:small error? by nedlohs · · Score: 4, Funny

    One has an uppercase 5. The other is all lowercase.

  7. FYI: password hashing doesn't matter when... by nweaver · · Score: 4, Informative

    Password hashing doesn't matter when the login password is conveyed in a URL and the URLs fetched are logged.

    From the article, its clear that this is what happened: the login process creates a URL with the username & password in it, and since the URLs were logged and accessible, the login passwords could be obtained in the clear.

    --
    Test your net with Netalyzr
  8. Re:For God's Sake by teslar · · Score: 5, Interesting

    I'm a scientist. I write papers that are published in academic journals and I review such papers for journals. Journals use editorial managers to, well, manage, the entire process and you'd be surprised how often those send out automated e-mails that, helpfully, contain my login and password IN PLAINTEXT, just in case I might have forgotten (even if I did not request the password).

    In general terms, if you use a website that is able to remind you of your password if you forgot, consider that password known to the world and all other accounts that use the same or a similar password at high risk of being compromised.

    Oh and I have an Obligatory XKCD too.