You can find out by browsing the livejournal source code, which is public.
There have been recent instances of malicious users running dictionary attacks against specific accounts (which has low yield), and also running common-password attacks across many different accounts (which has high yield). Perhaps livejournal ran their own dictionary attack against all stored password hashes, and flagged the weak ones for update.
true, I know I've had to do that before to get users to use more secure passwords... I remember once I did that and someone's password was "password" and I was sooooo pissed off.
You are correct, Jacob. Livejournal uses some weird sort of hashing system instead of SSL. I thought about doing something similar so I wouldn't have to configure Apache to use OpenSSL, and scratched around with some pen and paper systems.
I finally came to the conclusion that without a public key crypto system, and sort of hash system is reducable to brute forcing the password, albeit a slow one due to all the MD5 calculations.
It is several orders of magnitude less secure than SSL. Also, note that the popular site facebook.com uses ABSOLUTELY NO encryption whatsoever.
LJ is super-fucking stupid with passwords. Well, with a lot besides that too...
When I signed up I used one of my typical crappy passwords that I use for sites that are almost certainly storing passwords in cleartext.
Well, LJ bitched about the password being insecure because it didn't contain upper, lower, and numeric.
"Ok, great!" I think... these guys actually don't have their head up their ass when it comes to password handling, so I use one of my more secure passwords.
And then the fuckers EMAIL MY FUCKING PASSWORD BACK TO ME!
So a) they're almost certainly storing it in cleartext and b) they just sent the thing in cleartext.
Comments 7
There have been recent instances of malicious users running dictionary attacks against specific accounts (which has low yield), and also running common-password attacks across many different accounts (which has high yield). Perhaps livejournal ran their own dictionary attack against all stored password hashes, and flagged the weak ones for update.
Reply
Reply
Reply
Reply
Reply
I finally came to the conclusion that without a public key crypto system, and sort of hash system is reducable to brute forcing the password, albeit a slow one due to all the MD5 calculations.
It is several orders of magnitude less secure than SSL. Also, note that the popular site facebook.com uses ABSOLUTELY NO encryption whatsoever.
Reply
When I signed up I used one of my typical crappy passwords that I use for sites that are almost certainly storing passwords in cleartext.
Well, LJ bitched about the password being insecure because it didn't contain upper, lower, and numeric.
"Ok, great!" I think... these guys actually don't have their head up their ass when it comes to password handling, so I use one of my more secure passwords.
And then the fuckers EMAIL MY FUCKING PASSWORD BACK TO ME!
So a) they're almost certainly storing it in cleartext and b) they just sent the thing in cleartext.
Reply
Leave a comment