He seems to be on a crusade against bad security practices - RockYou was just one out of many sites he hacked (other sites are mostly Czech and Slovak).
Here in Slovakia, it's almost weekly media event when he hacks yet another popular local site (mobile phone operator, insurance company, no.1 portal, etc).
He also likes to call bullshit on companies PR nonsense released in aftermath.
Every time I create an account on some new website, I find myself wishing for some kind of law enforcing disclosure of whether or not my password will be stored in plaintext or encrypted.
I got super paranoid about that, so I created a system for creating quasi-random passwords for different sites, but based on the same rule:
salt+[reversed first four letters of site name]+[number of digits in site name] not the actual rule I used, but you get the idea
That was okay, but kind of annoying. Plus, I figured that the rule wouldn't be overly difficult to break, and then I'd be just as screwed as if I used the same PW for all sites.
Now I use 1Password to generate and store all of my passwords. I use dropbox to sync it across all my computers, and if I log in to dropbox, I can access a web interface. There's also an iPhone app, so it's not completely annoying never knowing any of my passwords, and I don't have to worry about one site storing my PW plain text and being exploited. [Now I just need to worry about my dropbox account getting hacked... here's hoping they don't store in plain text ;)]
I don't have anything to do with 1Password, and there are a lot of other apps out there that do the same thing.
Yep. Of course the security-minded (read: paranoid) people still cringe at schemes like this (the password generators mentioned above are more secure), I think this is a pretty good compromise for the average person.
To be fair, its not that simple of a problem. At the time, Facebook Connect didn't exist, Twitter didn't use OAuth, and I don't know what MySpace was doing. So if you wanted to give a 3rd party app access to your account, they had to store your password. Sure, they should have used some kind of 2 way cipher on it, but how much safer than plain text is that anyway?
Of course, once Facebook et all started using OAuth-like protocols they should have dropped the passwords. There's a lot of shame here for sure, but its not quite as amateur of a mistake as it sounds on first blush.
The post explains that no passwords to outside services were implicated in the breach. So this is just as amateur a mistake as it sounds - storing their own passwords in plaintext for no reason at all.
Not true. This press release may say that, but earlier accounts disagree:
"This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites."
Also, consider RockYou's initial statement, in which they would only say that no Facebook accounts were compromised:
"RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company."
But you're right about them storing the internal passwords in clear text, which I did not know. That is absurdly dumb.
We are sorry for the inconvenience this illegal intrusion onto the RockYou system has caused our users. We will continue to advise our users of any information that would help them.
To me, this is a textbook case of a non-apology apology. Allowing (unencrypted!) passwords to be stolen isn't inconvenient to users, it's a pain in the ass.
I love how they follow "Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure." with a missive about how they don't follow the same security standards that every web app has used for 10 years. Their legacy system is presumably not older than their company, which has not been around since before even hobbyist web developers like myself learned not to store passwords in plain text.
Next we're going to find out that their system accepts the username "Delete from users WHERE"...
I know this is beating a dead horse, but encrypting your user's passwords is one of the most important things you should be doing. Failing to do so shows a complete lack of respect for your users, and demonstrates that your site/service is probably not worth using.
There should be a list of companies/sites that don't encrypt passwords, so we know what services to avoid. That way, next time you use the Forgot Your Password feature and they email you your plaintext password, you can add them to the list to warn others.
Yeah, I suppose I should clarify. Instead of storing the plaintext or encrypted version of the password, they should store a hash of the password. Since, if/when the database gets compromised, it's even more difficult for the attacker to retrieve the passwords.
If the passwords are just encrypted, once the attacker figures out the algorithm, then all of the passwords will be compromised. A hash, on the other hand, would require each account password to be broken individually.
the thing that pisses me off most is... I sign up for some website and a few minutes later I get some email - hey welcome to site X your username is Y and your password is Z... WHAT THE FUCK
From: sshconnection
Date: Wed, Jan 6, 2010 at 4:59 PM
Subject: Engineering Lead for Social Applications
To: dev-jobs@rockyou.com
Hi, I'm interested in your opening for Engineering Lead for Social Applications.
I made a PHP page as a high school project that let me log in and create blog posts. I required an admin account to log into the blog to write articles. My user table (I used MySQL as a database backend), had four columns: id, email, username, password. It sounds very simple, but please let me tell you some of the special technology I used for the password.
If someone used a password of "password", I would do something like this:
$plaintext = "password";
Then, I would use a function called sha1 to get a a new value of the password like this: $salt = sha1(md5($plaintext));
Then, I would get the final value to store as the password like so: $password = $md5($salt.$plaintext);
This way, the password is hidden behind what people call a hashing algorithm. That keeps people from figuring out the original password, even if they somehow got on my computer!
I know I have no professional programming experience, but I think that I could be a very valuable member of your team. If you're interested, please let me know!
I like the Stack Overflow system. The "Ask Question" form submit a search when you're finished typing out your question. It's helped me find answers to questions before asking them that didn't appear at the top of Google's Search Results.
