Call for help: researching the recent gmail password leak

Hey folks, You probably heard this week about 5 million accounts posted. I've been researching it independently, and was hoping for some community help (this is completely unrelated to the fact that I work at Google - I just like passwords). I'm reasonably sure that the released list is an amalgamation of a bunch […] authentication misconceptions

Hey everybody, There have been a lot of discussion and misconceptions about's authentication lately. Having done a lot of work on the protocol, I wanted to lay some to rest. The first thing to understand is that, at least at the time I was working on this, there were three different login methods […]

(Mostly) good password resets

Hey everybody! This is part 3 to my 2-part series on password reset attacks (Part 1 / Part 2). Overall, I got awesome feedback on the first two parts, but I got the same question over and over: what's the RIGHT way to do this? So, here's the thing. I like to break stuff, but […]

Hacking crappy password resets (part 2)

Hey, In my last post, I showed how we could guess the output of a password-reset function with a million states. While doing research for that, I stumbled across some software that had a mere 16,000 states. I will show how to fully compromise this software package remotely using the password reset.

Hacking crappy password resets (part 1)

Greetings, all! This is part one of a two-part blog on password resets. For anybody who saw my talk (or watched the video) from Winnipeg Code Camp, some of this will be old news (but hopefully still interesting!) For this first part, I'm going to take a closer look at some very common (and very […]

Ethics of password cracking/dissemination

It's rare these days for me to write blogs that I have to put a lot of thought into. Most of my writing is technical, which comes pretty naturally, but I haven't written an argument since I minored in philosophy. So, if my old Ethics or Philosophy profs are reading this, I'm sorry!

Followup to my Facebook research

Hey all, Some of you may have heard what I did this month. It turns out, depending on who you listen to, that I'm either an evil "Facebook hacker" or just some mischievous individual doing "unsettling" research. But, one way or the other, a huge number of people have read or heard this story, and […]

Return of the Facebook Snatchers

First and foremost: if you want to cut to the chase, just download the torrent. If you want the full story, please read on.... Background Way back when I worked at Symantec, my friend Nick wrote a blog that caused a little bit of trouble for us: Attack of the Facebook Snatchers. I was blog […]

robots.txt: important if you’re hosting passwords

This is going to be a fun post that's related to some of my password work. Some of the text may not be PG13, so parental discretion is advised. As most of you know, I've been collecting password lists. In addition to normal password lists that are useful in bruteforcing, I have a (so far) […]

The ultimate faceoff between password lists

Yes, I'm still working on making the ultimate password list. And I don't mean the 16gb one I made by taking pretty much every word or word-looking string on the Internet when I was a kid; that was called ultimater dictionary. No; I mean one that is streamlined, sorted, and will make Nmap the bruteforce […]

Hard evidence that people suck at passwords

Hey everybody! As you probably know, I've been working hard on generating and evaluating passwords. My last post was all about's passwords; next post will (probably) be about different groups of passwords from my just updated password dictionaries page. This will be a little different, though.