Why settle for (stealing) one password?

This is just a quick thought I had at work today -- actually, I had it in November, but just got around to posting it now. Common story, but eh?

Anyway, I was having trouble logging into our issue-tracking solution today in November. It had been awhile since I'd logged in, since I generally go through the Helpdesk to raise issues, so I wasn't sure exactly what I used for a password. So I tried my throwaway password I use for useless work stuff, but it didn't work. So I tried another throw away password, and another. No luck. Then I reset it and life moved on.

My point? If you're an attacker and want to collect passwords for internal systems, even if you only have hashes, replace the passwords and start logging requests. I'll bet people try the same password twice, then a couple others. Suddenly, you have a bunch of passwords to try on other systems. You might even get a couple varied usernames.

Of course, that can be considered evil. But eh?

3 thoughts on “Why settle for (stealing) one password?

  1. Reply

    kc0pah

    take your comment another step further... if these login failures are logged, where are the logs? and are they on the same system? in a less that protected directory? in clear text?

    It is amazing what you can harvest up from logs and how insecurely most logging is handeled and stored.

    1. Reply

      Ron Post author

      Agreed.

      Your post reminded me of a ha.ckers.org blog about hiding PHP code in logfiles for RFI:
      http://ha.ckers.org/blog/20100128/micro-php-lfi-backdoor/

  2. Reply

    Robert

    In an article about Mark Zuckerberg, about life back at Harvard when he was worried about the Winkelvoss twins and their competing web site, he used that technique. The twins apparently had accounts on facebook, so he looked at the logs (heck, he could look in the database, having wrote the app), and saw where they had logged in using the wrong password, before remembering the right one. I forget the details, but I think he used the credentials to log into their e-mail account and redirect their mail, in trying to fend off competition. Which is a bit crazy, because if you read the book by Ben Mezrich, while the Winklevoss's had a good idea which he built on, the greatness of fb was all his. So yes, good technique, works great ;)

Leave a Reply

Your email address will not be published.