[Novalug] a billion stolen usernames/passwords

Barnett Hsu bhsu@acm.org
Fri Aug 8 05:11:53 EDT 2014


On Thu, Aug 7, 2014 at 11:13 AM, John Holland via Novalug <
novalug@firemountain.net> wrote:

> On the news and in the papers is a story about hackers stealing "a billion
> username/password combinations". How is this possible if the standard
> method of authenticating users is to only store a hash of the password? I
> have heard of "rainbow tables" that map hashes to inputs that produce them
> - is that involved?
>

My understanding is that the research firm was talking about a hacker group
that conducted multiple attacks over an eighteen month period against over
400,000 web sites. So it looks big, but the individual attacks were
probably small.  And they may have counted people with multiple accounts
multiple times.

>From what I read, it was done via SQL injection attacks.  The web site
probably had a login form or some other form that didn't check to make sure
the person filling out the form didn't put SQL commands in the form input.

They might have used "rainbow tables" to figure out passwords if the
hackers actually took the time to get the actual passwords.  None of the
articles I read mentioned if the hackers actually got the passwords though.
 They spent their time talking about the e-mail addresses that were taken
that could be used for spam.  The spam could have gotten users to give up
passwords via phishing.

There are probably web sites out there still that don't store a hash of the
password.  Any web site setting an arbitrary length limit for how long your
password can be might not be hashing the password.  The ones that say your
password can only be 5 to 8 characters long, for example.  And any web site
that can send you your password in plain text in e-mail in response to a
"reset password" link isn't hashing.



More information about the Novalug mailing list