Slashdot Mirror
eBay Japan Passwords Revealed As Username+123456
mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with visual aids.
That's the same password as my luggage!
....That's amazing! I've got the same combination on my luggage!
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Do you not get to change your eBay password... in Japan?
captcha: nipple. OK, that was worth it.
I too have seen Spaceballs.
s/[stupid comments]/[intelligent discourse]/gi
If the password was set by the system, either during a password reset or initial account creation, the first thing I do is change the password to a random one my password manager program's generated. Why were these accounts still using the system-created password? Also, the article seems to conflate two uses of the term "salt": the random nonce used to insure the stored hash value isn't the same for two different accounts that picked the same password, and the random string used in the plaintext of the initial password to avoid a trivially-guessable "password same as username"-type case. The two aren't at all the same.
Wait so in the US most passwords (and server names and PC names and switch names and domain names) are Anime characters or related to Animes and in Japan they chose 123456? What the hell?
LUGGAGE DAMMIT
I love the title of your post, but I'm out of mod points.
Get free satoshi (Bitcoin) and Dogecoins
I just sold my 1971 Pinto to Hiroto Takahashi for 25,532,500 yen! Plus shipping!
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
My interpretation is that they used a) as b), which should be fine if the salt was actually salty. I think they did:
default_password = crypt(username+salt)
That would be fine if they used real salt (random), but instead they used Mrs. Dash salt substitute.
It looks from the video that the password is simply the username concatenated with a global string, "123456".
That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.
So all these discussions of salt are not at all relevant.
This is fundamentally a case of hard-coded credentials, which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)
It takes a seller 60 days to collect their money from ebay/paypal after selling an item. Yes, 60 whole days before you see a single cent from your sale.
But Elon Musk has a spaceship!
What the hell are you talking about?
Captcha: Musk
http://www.spacex.com/falcon9
How do they know that 123456 wasn't generated at Random? It has the same probability of occurring as any other 6 digit random number...
I've lived in Japan for over 20 years and I, like probably most people in Japan, didn't know it even existed.
XKCD
How do you know it's not random?
I dont want aids.
my password was 12345
so now its 1234512345
haha
One site I've worked on uses the user ID, username, join date/time, and a secret per-site string as the salt for the password. User IDs are sequential and can be sort of guessed from the join date, but I'm under the impression that there's enough entropy in the minutes and seconds of the join date/time, and the secret per-site string keeps the lookup table from applying to more than one site.
The bad guys can already do that by trying to register an account with that username or by trying to send a private message to that username.
Which makes it impossible for blind people to use the web application.
Why 15 minutes? Some e-mail systems have been known to take longer than that to deliver a message. The site I've worked on uses a 24-hour expiry for these random one-time temporary passwords.
Thanks, because that was the part of the GPs comment that made no fucking sense
I was wondering the text made no sense whatsoever.
It's actually not a problem if you force users to change their password upon their first login. It's stupid, but it's not a problem. The worst that can happen is that someone can hijack an account/username that's never been used before.
Uh, that's not a salt, it's a crappy password. A salt's purpose is to make hash(salt, value) result in something different than hash(salt2, samevalue). This protects against attacks against disclosed password databases. Also, for a salt, the user never types it in. The salt is stored near the password hash, is randomly generated by the application, and is never seen by the user.
On the other hand, this is a default (or possibly hard coded) password. In this case, the user types in their username concatenated with the common string 123456 go enter their password. Totally different place in the application. This has absolutely nothing to do with the password storage, nothing to do with the existence or lack of a secure hashing algorithm, and nothing to do with the existence or lack of or existence of a salt.
Can't slashdot editors, ya know, fucking edit? it's been how many years now, and they still let crap like this through without any editing? i, for one, would never hire a slashdot editor for any job.
That's true. Forcing users to change the password upon first login does create one problem though. Some users are accustomed to referring back to the initial email or their notes to find the password. Those users keep trying to use the default password after the first time. The system I'm responsible for is set up that way and the help desk LOVES getting all of those calls.
I should see about changing that. It was set that way when I started this job.
It's the kind of stuff Asian people do all the time. It's not their company. It competes with their companies and so Japanese workers there quickly bite the hand that feeds them and do that. It's all they do..
Which would you want to see more: The sequel to History of the World part 2, or Spaceballs: Episode Zero?
God spoke to me
Spaceballs 2: The Search for More Money.
Get free satoshi (Bitcoin) and Dogecoins
...be taken with a grain of salt.
like the kind you put on food? Salt is a mineral substance composed primarily of sodium chloride (NaCl), a chemical compound belonging to the larger class of ionic salts; salt in its natural form as a crystalline mineral is known as rock salt or halite.