Tag Archives: passwords

Another Twitter Scam: Twitviewer

0
Filed under Social Networks
Tagged as , , ,

twitviewerOne of the trending topics today on Twitter was “Twitviewer” becuase of a site called Twitviewer[d0t]net which asks visitors to enter in your Twitter user id and password to find out who is “stalking” you.  When you do, you get a sample of people on Twitter that are not even following you as stated in this Mashable post.  The app also sends out a tweet using your credentials stating: “Want to know whos stalking you on twitter!?: hxxp://TwitViewer[d0t]net”.  If you did fall victim to this you better change your password ASAP!  Check out the screenshot of the site before it was taken down…yeah, phishy indeed.

Who knows what the developers of this application were planning (malicious or others).  Regardless, you should never give a third party site (especially ones that look phishy like this one) your Twitter credentials.  In fact, I recommend you only use third party Twitter sites that use OAuth for authenticating you to Twitter.  That way you don’t have to give your credentials to the web site and worry about them being compromised.  Also, look to see what the purpose of the site is before you give the jewels away…if it’s a way to see who’s following you, enter credentials to get millions of followers, etc…then it’s probably a scam or just completely useless.

Think about this.  If the developer of a site like this wanted to they could easily use your captured Twitter credentials and start trying them on other social networks and/or web mail services.  They can then use these credentials for anything else they wanted.  Unfortunatly, most users of these sites use the same password for everything.  Again, this is a reminder to use a password manager if you are one of those that use the same user id/password for everything.  See this article for more information on password managers and social media web sites.

Password Length and Complexity for Social Media Sites

6
Filed under Social Networks
Tagged as , , , , , , ,

July 1st was “Twittersec” day as coined by @hevnsnt over at I-Hacked.com to designate July 1st as change your Twitter password day. Why? Mostly because July is the “month of Twitter bugs” created by a security researcher in which he will announce a bug in a “3rd party Twitter application” everyday for the month of July to raise awareness on security issues with the Twitter API. Technically, this should be “month of 3rd party” Twitter bugs but whatever. Either way it will raise awareness about some of the security issues of Twitter and 3rd party applications.

ANYWAY, back to my point….I sent out some tweets about changing your Twitter password and now being a good time to use a password manager like Keepass to manage multiple, complex passwords for everything…not just social media sites. One problem though is that each site might have different password length and complexity requirements. This becomes an annoying issue when you choose a randomly generated password like I suggest when using a password manager. You will encounter many sites that have specific requirements and others that do not. Obviously, the longer and more complex the password is the harder it is to crack so I suggest going as long as you can. Sad that there are these limitations on certain sites (blame the site developers) but if you set your random password generator to a very large number (I recommend at least 20 with a mix of everything you can throw at it including white spaces if the site will let you), it’s as good as your going to get.

Keep in mind, some applications even supported by the site (like the Facebook app for BlackBerry and iPhone) might not like passwords over a certain length or even certain special characters…you will know once you use these apps. Also, I mention Keepass as a password manager because you can use it on a BlackBerry or Windows Mobile device as well…an iPhone version is being worked on. So here you go…max password lengths for the major social media sites:

Twitter
None. I tried a 500 character password with everything but white spaces and it worked.

Facebook
None. I tried a 1000 character password with everything but white spaces and it worked.

MySpace
10 characters! Wow…really bad. Now I know another reason MySpace sucks.

LinkedIn
16 characters! This is interesting. LinkedIn truncates the password to 16 characters! Even if you put in a password larger then 16 characters it will only use the first 16, you can actually see this when entering in a password. No user notification, no info about this in the ‘help’ section. Sneaky and evil.

YouTube
None. Your account is tied to your Google account so is kind of a pain to change…but I didn’t find any issues with length or complexity.

On another note…I wonder if Twitter and Facebook truncate the passwords at a certain length and don’t tell you? Not sure…but it would be interesting to find out. This is another bad design as a they could easily just hash the entire password (which is a certain manageable length) and the hash is stored in the database not the large character password. Does this mean that sites like MySpace and LinkedIn are storing passwords in clear text? Also, I have run into other sites (non-social network) that actually truncate the password because when you try to login with an overly complex password…you get denied! Then you enter the cycle of doom…resetting your password thinking you fat fingered that password to begin with over and over. :-/

Are social media password limitations working against you?
Finally, just a quick point on this. Social media sites like MySpace and LinkedIn should NEVER have any limitations on password length or complexity. Certain complexity restrictions (like white space or strange characters) I could understand since you would have to use these passwords on mobile devices and other integrated apps. However, there are no technical limitations of just hashing the passwords to a constant length…and we all know storing passwords in a database in clear text is never a good thing.

Shouldn’t these social media sites that you already give your personal information to be trying to protect you the user as best as they can by letting you set a long and complex password? Let’s hope MySpace and LinkedIn get better at this real soon!

Are you using strong and unique passwords? You should!

1
Filed under Hacking
Tagged as ,

I have been following several stories of recent targeted attacks against a few high profile security professionals. Two that I was made aware of were pdp from GNUCITIZEN and Alan Shimel from StillSecure, After All These Years. pdp had his Gmail account compromised and his entire mailbox mirrored all over BitTorrent. Alan’s, was far worse with his mailbox compromised, personal info released and his blog domain hijacked. Both pdp and Alan have returned to blogging after the attacks and I commend them for making such a quick come back.

While these types of attacks are not new…it goes to show that this can happen to anyone, even high profile security professionals. Not much is known yet on how these attacks happened but I am willing to bet that common and/or weak passwords were part of the attacks in some way. Think about all the passwords you have…do you have the same one for everything? If you are a blogger or manage a web site think about the last time you changed the password you use for your domain registration (yeah..that was a long time ago right?)! Add to the fact that these passwords may not be very complex and you have a potentially dangerous situation.

Close to two years ago I started using a password manager and it has been one of the best things I have done to help sort out the password mess. Password managers are great…but you can still get lazy. We all have the lazy bug…especially with online forums and web sites. One idea that I learned to help combat this was to have a “throw away” password that you can easily remember (yet still somewhat complex) for things on the web that you wouldn’t care if they were compromised. Everything else…use the password manager and make sure you use a long (> 20 character) randomly generated password for each application. Keep in mind that 20 characters may be too long for certain web sites or applications. Case in point…LinkedIn has a limitation of 16 (I found this out the hard way). Sure, it’s a pain in the ass to use a password manager but in the end…it’s well worth the extra work.

So what password manager to use? I did a few posts a long time ago about two of them. However, over the years I have migrated everything over to KeePass and KeePassX (for OS X). Since I use multiple computers with different OS’s (and a Blackberry)…KeyPass is the only one that I found that can be easily used on multiple platforms. There are also a TON of great plugins. Add to the fact that it’s free…it’s tough to find a more robust solution.

So yes, go for it! These targeted attacks should remind you that it’s a good time to change those passwords to something complex and unique. Don’t forget to use a password manager to help you out!