Slashdot Mirror

← Back to Stories (view on slashdot.org)

eBay Japan Passwords Revealed As Username+123456

Posted by timothy on from the oopsie-daisy dept.

mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with visual aids.

20 of 80 comments (clear)

  1. Hey by dale.furno · · Score: 5, Funny

    That's the same password as my luggage!

    1. Re:Hey by marcansoft · · Score: 5, Interesting

      Sorry for the threadjack, but this is yet another case of horrible security reporting.

      From watching the video, what it seems happened here was that eBay chose phpBB for their community forum, but did not integrate its authentication system directly with eBay's on the server side. Instead, the site was set-up as a standalone system, and whoever implemented the integration had the bright idea of hardcoding the forum password for everyone as username+123456, and then just having the eBay login page issue a hidden POST request behind the scenes to authenticate users to the community forum section.

      Thus, this allows anyone to trivially impersonate anyone else on the forum. It shouldn't have anything to do with the rest of the site, though. Nor does this have anything to do with initial passwords, salts, or any of the other terms that have been thrown around.

      A case of absolutely retarded login integration for the community site, but not something that would allow people to take over others' main eBay account. What this says about the people running eBay is another matter entirely...

  2. Obligatory by hey! · · Score: 5, Funny

    ....That's amazing! I've got the same combination on my luggage!

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    1. Re:Obligatory by ArcadeMan · · Score: 5, Interesting

      You just gave me an idea.

      Alright everyone, LISTEN UP!

      If a user tries to use "12345" for his password, return an error message exactly as follows:
      "1,2,3,4,5? ....That's amazing! I've got the same combination on my luggage!"

      Now go and implement this on your systems, whatever they may be. I don't care if your code systems for banks, the NSA or whatever. It shall be known as "Spaceballs: The Error Message".

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:Obligatory by Anonymous Coward · · Score: 2, Insightful

      Introducing easter eggs is enough to get fired, if your employer takes quality seriously.

      Introducing an idea to add proper entropy calculation of all passwords can help you get a raise. Of course, if you implement it by "if char.isUpper(): entropy += 5" then you should also be fired...

    3. Re:Obligatory by 0racle · · Score: 4, Funny

      Then code a quality easter egg with full test cases and stellar documentation.

      --
      "I use a Mac because I'm just better than you are."
  3. I'm sorry, what? by Anonymous Coward · · Score: 2, Funny

    Do you not get to change your eBay password... in Japan?

    captcha: nipple. OK, that was worth it.

  4. Spaceballs: The Comment! by broginator · · Score: 5, Funny

    I too have seen Spaceballs.

    --
    s/[stupid comments]/[intelligent discourse]/gi
  5. Why was the initial password still being used? by Todd+Knarr · · Score: 4, Insightful

    If the password was set by the system, either during a password reset or initial account creation, the first thing I do is change the password to a random one my password manager program's generated. Why were these accounts still using the system-created password? Also, the article seems to conflate two uses of the term "salt": the random nonce used to insure the stored hash value isn't the same for two different accounts that picked the same password, and the random string used in the plaintext of the initial password to avoid a trivially-guessable "password same as username"-type case. The two aren't at all the same.

  6. wait a minute... by slashmydots · · Score: 4, Funny

    Wait so in the US most passwords (and server names and PC names and switch names and domain names) are Anime characters or related to Animes and in Japan they chose 123456? What the hell?

    1. Re:wait a minute... by lgw · · Score: 2

      In Japan they don't obsess so much over children's cartoons? Who knew! I'll have you know the last time I ran a lab everything was named after American kids cartoons - America, fuck yeah!

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:wait a minute... by Nidi62 · · Score: 2

      Wait so in the US most passwords (and server names and PC names and switch names and domain names) are Anime characters or related to Animes and in Japan they chose 123456? What the hell?

      Maybe ebay knew that Japanese people love to travel, so this would be easy for them to remember because it's probably the same combination as their luggage?

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    3. Re:wait a minute... by crgrace · · Score: 2

      When I was an undergrad our Unix labs had every computer named after a cartoon character. All Hanna-Barbara characters too. I liked to use dino because it was fewer characters to type.

    4. Re:wait a minute... by PopeRatzo · · Score: 2

      That's nothing. I'm so old that when I was in college all our servers were named after Greek gods.

      And our desktops were clay tablets.

      --
      You are welcome on my lawn.
  7. looks like both. password = crypt(username+salt) by raymorris · · Score: 4, Informative

    My interpretation is that they used a) as b), which should be fine if the salt was actually salty. I think they did:

      default_password = crypt(username+salt)

    That would be fine if they used real salt (random), but instead they used Mrs. Dash salt substitute.

  8. Not salt by blueg3 · · Score: 5, Informative

    It looks from the video that the password is simply the username concatenated with a global string, "123456".

    That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.

    So all these discussions of salt are not at all relevant.

    This is fundamentally a case of hard-coded credentials, which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)

    1. Re:Not salt by jxander · · Score: 4, Funny

      We'll call this "just a pinch of salt"

      --
      This signature is false.
    2. Re:Not salt by hawguy · · Score: 2

      It looks from the video that the password is simply the username concatenated with a global string, "123456".

      That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.

      So all these discussions of salt are not at all relevant.

      This is fundamentally a case of hard-coded credentials, which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)

      I was wondering about that too -- from the description it didn't sound like a salt, I thought the summary was inaccurate (nearly unheard of on Slashdot!), but TFA said the same thing.

      Sounds like someone knew enough about cryptography to be dangerous and though that any random (or not) string added to the plaintext password is a salt.

  9. Random? by Anonymous Coward · · Score: 2

    How do they know that 123456 wasn't generated at Random? It has the same probability of occurring as any other 6 digit random number...

  10. Same for all Four Users? by fullback · · Score: 3, Insightful

    I've lived in Japan for over 20 years and I, like probably most people in Japan, didn't know it even existed.