Twitter Hack Details Revealed 222
Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced.
Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."
Re:After all of this... (Score:4, Interesting)
Blackberries are safer than Twitter accounts. If you enter the wrong password into a Blackberry a set number of times (usually 10), it erases its contents.
Limit logins without DOS? (Score:5, Interesting)
This is one of my favourite security conundrums.
How do you limit someone's login attempts to an account without allowing an account to be denial of serviced?
Captcha - hurts young, old, and disabled users. It can also make it hard for normal users if poorly designed (as many are).
IP Limit - Very easy to bypass with a proxy list.
Hard Account Limits - Denial of service
Thus is the problem. How do you limit logins without hurting legitimate users?
Re:Limit logins without DOS? (Score:3, Interesting)
One way would be to get progressively slower at *processing* a login for a particular user based on the number of failed attempts. I.e. user enters a password, the timer ticks away, and then at the end it really does the test and checks if the password was right.
You would typically double the time delay with a reasonable limit of say 1 minute so that each failed attempt sticks at 1 minute delay.
You put up a banner after the delay reaches 10 secs or so saying "Your login will be slower as you have had X failed attempts recently".
Then elsewhere you limit the number of failed logins from a single IP address to different accounts via a similar method to slow them down trying 100,000,000 accounts with password X.
Oh, and you internally you check that passwords aren't common dictionary attack words to prevent users from running with knives when they create / modify their account...
Re:Limit logins without DOS? (Score:5, Interesting)
Perhaps even add +x seconds after every attempt, so your first attempt goes through and fails the next one has a delay of 5s and thereafter its incremented. Most users will get their password correct on the second try or perhaps the third, the script will die a slow death.
Re:Lack of Hacker Ethics (Score:3, Interesting)
Anyone trusting blogs, twitter, etc. for news is a moron. Any newspaper, news network, etc. doing the same is run by morons, and should go back to journalism school.
Comment removed (Score:5, Interesting)
Re:Lack of Hacker Ethics (Score:1, Interesting)
Comment removed (Score:3, Interesting)
Re:Limit logins without DOS? (Score:1, Interesting)
For my users to log in they have to supply the correct password AND have not failed a password check in the last 3 seconds. If not, they get a "Wrong Password" message either way.
Re:Compromise One Password, Compromise Them All (Score:3, Interesting)
You don't (probably) use the same key for your house and your care and your safety deposit box
No, but I wish I could. They're all on the same key ring, after all. If I lost my keys and whoever found them knew whose keys they were, I'd have to change all the locks anyway.
Another "bad security practice" I do is to keep my passwords written down. That's a no-no in the security field, but it's a stupid no-no. I keep them in my wallet, along with my security code for the building I work in, my money, debit card, and other valuables. Unlike money and cards, the passwords are easily disguised as building addresses (1234 Spring Street) or phone numbers (525-1234). Yeah, posting it on a post-it on the monitor is stupid, but keeping it written down with other valuables allows you a tougher to crack password, one a dictionary attack like the one used at Twitter is impossible. E.g., d5#6*;mtTMbp can't be remembered by anyone but a savant, but if it's written down it can't be forgotten.
You could also use the title of a book, write that down, and use every n character in the password. For example, Shrew 9 would be SBlatsle which is every ninth character (exclusing spaces) from the introduction to Wm Shakespeare's Taming Of The Shrew.
Off topic but important (Score:1, Interesting)