Should have changed it to...
Mark Zuckerberg’s Twitter and Pinterest accounts were hacked over the weekend. The breach apparently happened after the Facebook boss’s login details were exposed via the recent LinkedIn password dump. This implies Zuckerberg reused passwords across multiple sites or perhaps that the format of the password he chose for other …
Oh yeah, that idiot Zuckerberg and his moronic team who just happen to run one of the most successful internet businesses in the world. Thank God all us clever people know the real way to make a difference is to anonymously post bullshit on the internet.
I have a massively complex password Zuckerberg, think about that as you're having a Scrooge McDuck swim in your vault of cash this evening!!! You naive fool!
Sorry, facebook is not an OS, it's not a compiler, it's not a word processor or database. Nor it is a good indexing algorithm like Google search. Facebook is just a stupid application for people in need of showing off, or too luser to have a life. It just happened to become more used than many similar ones because of good PR, media pumping it, and lots of idiots believing it. Actually, to develop something like facebook you need to have a first hand knowledge of how many gullible idiots there are around.
To become very rich, you don't need to be really clever and skilled. Sometimes, all you need is little ethics, and a lot of luck. There are several examples of "successful business" built on nothing. That's how the world works, sure, good for them, but nobody and nothing will force me to think they are "exceptional" people. They are still morons. Lucky ones, but morons.
Sure, later he needed to hire some more skilled people to run the infrastructure needed to exploit idiots, but it's not like, say, launching a rocket and then landing it on a barge....
This post has been deleted by its author
You are so right. I realize that fb is the cheap, transfat laden generic cheetohs of the net. I am so freaking tired of his political bs, he suffers from Delusions of Adequacy and is now trying to run the political scene. He's not really "one of them" but they gladly take his money. The censorship is getting out of hand, and you absolutely are right about the users (losers) Remember that fb was begun by some pasty faced fratgeeks as a way to bash and harass women who wouldn't got out with them. I am ashamed to admit I use(d) it but since I got blocked again for not being PC (I referred to the rapefugees in Sweden) I realize it's time to delete the account. Thank you for reminding me. I feel like Stan in that South Park episode "You have 0 friends"
*ahem*, Zuckerberg is just an extremely lucky person, someone who was in the right place at the right time. He was a third rate programmer then, and probably hasn't touched a line of code in the last 5 years.
He just a standard frat boy that won the lottery. He setup facebook to get laid remember. He didn't sit down and plan "hey, I'm going to make an international company, anyone interested".
These days he spends most of his time speaking with accountants, his tax advisor, the board of directors and his legal team to see how to maximise his "product" (ie, you) by lobbying politicians, including being happy to enable censorship for those governments to turn a blind eye to his goings on.
There was no skill in Facebook, there was no strategic planning, there was no end vision, it was just some egotistical frat boy trying to get laid.
Try not to rewrite history to those who lived through it, thanks.
This post has been deleted by its author
It mystifies me why anybody would store a password in a database, regardless of whether or not it's in encrypted form.
Any time I'm designing a back end that needs to perform authentication, I store a hash of the user's password. When they try to log on, hash what they provide and compare that with the hash in the database.
If anyone manages to break into or steal the database, all they have is hashes, from which it will be very hard to reverse engineer the password itself.
If someone steals the database, they don't need to reverse the hashes. They'll just throw a dictionary file at your hashing algorithm and look for matches. Doesn't take too long to brute-force every password up to 6 or 8 characters long as well. This is why you should be salting the passwords before hashing them, and forcing users to have sufficiently long passwords.
By your enthusiasm for hashes, I'd guess you still ballsed it up. Don't worry nobody ever gets it right.
1. Are your hashes upgradable in-place? Are you storing the algorithm and iteration count along with the hash for each user? Could you smoothly upgrade from bcrypt to argon2?
2. Using a key derivation function? There's zero need to build your own, but if you did are you iterating correctly by feeding the password + hash back though the HMAC?
3. How is your database setup? A stored procedure which takes a challenge string, and returns a boolean is immune to SQL injections. And you can lock-down the table's permissions to execute only.
> If anyone manages to break into or steal the database, all they have is hashes, from which it will be very hard to reverse engineer the password itself.
Before throwing stones here, a consumer grade GPU can compute 18 billion (yes with a B) sha1 hashes per second. Most English dictionaries have between 80 and 500 thousand words for some perspective. Or the hash of every possible 5 character password within a second. Very hard should always be understood in context of available number crunching capabilities.
But yes, there is a good chance that the passwords were not hashed enough times with sufficient salt.
It is also a really dumb password and was reused at multiple sites.
"It also serves as a reminder that two-step verification, which LinkedIn supports for all of its users, is not enough in this age of rapidly advancing attacker capability"
...alternately, you could try not re-using weak passwords. And wasn't it LinkedIn who got thoroughly pwned with unhashed passwords, or am I thinking of someone else?
Yep you're remembering right (if I'm also remembering right, that is!).
The LinkedIn breach was from 2012 and they were unhashed (or very weakly hashed) passwords. Ok so he reused passwords, most of us do that on throwaway accounts, big deal. However, the claims that two factor authentication is borked, and using this as an example is total bollocks, this has nothing to do with two factor authentication, this is all to do with very poor database security and the re-using of old passwords on throwaway accounts. (I'm assuming throwaway since from what I read elsewhere Zucks pinterest account had 30 photos on it. Yep sounds like he's using that a lot, doesn't it... )
Probably he has the average social media personal assistant who's been hired because he/she looks good, talks well, and can serve a good coffee if required. He/she can also type some carefully crafted sentences, sometimes written by some upper "entity", using some "media outlet" she/he has been told to use.
Proper security mindset is, of course, not required nor any training has been provided.
Why should Zuck spend time logging in? He has to annoy even astronauts who believed they were far enough from facebook....
I don't doubt that Zuckerberg's accounts have been hacked but is there any independent confirmation that the password was 'dadada' and that wasn't just a joke? Everyone appears to be blindly accepting something someone posted on social media (and how well that has worked in the past) but it does seem a little unlikely.
Waitaminute, surely it's cheaper than a pint to test your hypothesis...
...Ooh, you crafty bugger. You've cracked it, changed the password, and are going to change it back to "dadadada" just in time for whoever's adjudicating to check it. Veeeery clever. You can have this one on the house.
It's important to remember that he was hacked not because someone managed to brute force his weak password but because he reused that password. A password of "dadada" for LinkedIn is fine, so long as you don't also use it for your twitter account.
Password re-use is worse than weak passwords.
>Password re-use is worse than weak passwords.
Weeeeel, it *shouldn't* be, ideally salts and other techniques discussed above should be used so the stored hashes would never be the same from one site to the next. But if they all just blindly do sha1($pw) then of course it's a problem.
How do salts and stored hashes protect against reused passes? I get LinkedIn's db, and find that they've only stores Zuck's hash and salt. Given he's not just any ordinary target but (a) an internationally recognisable figure with rather a lot of influence, and (b) someone who's (as of now) been known to reuse passwords, I decide he's a good target. I plug the salt into my script and bruteforce until I get a hash that matches. Huh, it's "dadada". Now I head over to a bunch of other sites and try dadada out. The salting and hashing has only protected the majority of users, because it's a PITA (and slow) to bruteforce all those salty hashes, but it hasn't actually added any (meaningful) extra protection to any individual login, and does nothing to mitigate idiot users keeping the same password for everything. Like the OP said, password reuse IS worse than weak passwords. If you find out my password for this site is 1234*, it doesn't matter too much for me since you can't use that pass to gain access to anything else of mine, and I only need to change one password to fix the breach.
NB: I accept I may be wrong or missing something here, so do let me know if that's the case. I also appreciate that I've made quite light of bruteforcing a salted hash, but a six lowercase letter password, containing only two characters, really isn't going to pose that much of a problem. My point is, if someone set out to target Zuck and the LinkedIn db had been salted and hashed, it wouldn't have made that much difference.
My thoughts exactly, AC. It's just a bit too bloody convenient otherwise, especially on the same day FB announce they're nobbling mobile-browser access to FB messaging and expecting everybody to use the app instead...
They already have my number thanks to my nearest'n'dearest using FB/WhatsApp on *their* phones (cheers, y'all) but damned if I'm handing it over directly.
All the comments so far have criticised/complained about users password choice.
Who are the experts?
A: LinkedIn IT staff
Who are responsible for ensuring the information stored on LinkedIn systems remain secure?
A: LinkedIn IT staff
Who's system was breached allowing the account details of 117 million people walk out the door?
If you're working for/managing a company that insists on collecting a treasure trove of personal information make damn sure you keep it secure or do not collect it. No excuses.
That bad huh?
short - not good
combination of dad and ada - not good
Position 5346 in the top 10,000 list of password - terrible and to me a bit surprising.
To me the password I often use for sites I don't care at all about seems much more obvious yet isn't in the top 10,000 and is definitely in a dictionary unlike dadada.
I use a single insecure and easy-to remember password on all sites where a hacker can do little or no damage. Such as this site, for example, where the worst consequence will be that someone posts an embarrassing comment under my nym or signs me up to a load of spam directed to one of my throwaway email accounts. Which would be a minor irritation that would cost me not a second of lost sleep. Logins to sites where a breach could cause me real damage are unique and more secure. Also note that a brute-force attack on "dadada" would likely take just as long as a brute force attack on any other 6 character password.
" So what? I use a single insecure and easy-to remember password on all sites where a hacker can do little or no damage. "
but, but but.. someone could have logged in as Mark Z on Linked In and said "Facebook sucks, you morons" and a collapse of Gerald Ronson-esque size could ensue.
What a golden opportunity squandered.
using them alone is more secure than
Username + Password + "password reset" secret questions that can be sussed out with a few minutes on LinkedIn or Ancestry.com. Or alternatively one can be clever enough to lie, which means one is probably writing them down somewhere because remembering the right wrong answer for my place of birth or mother's maiden name is a chore, if they change on every site, as my username and password do.
Reusing a password (especially a simple one) is the user's fault. Mandating a larger attack surface is the site's fault. Also, how do I change my fingerprints once "Only Outlaws can buy Gummy Bears".
Personally, I don't know the answer to any of my secret questions. I generate a random string and paste that in.
Passwords are in a manager so the questions shouldnt ever be needed, and if they are Ive bigger things to worry about.
Does mean it's a right shit when a site suddenly updates login to include "enter character 6 of the answer to your security question" though.
I wouldn't be able to forgive myself if I didn't respond with the following:
Thank you for allowing me to get that off my chest. Carry on,
Apparently the Zuckerberg is a VW fan:
Clearly a fully Regerific article would ask it it was one of the characters and the tagline. Or perhaps he's just always felt like the little white skeleton being manipulated by others while fearing his the stinky chair that everyone wants to dump.
I do use one password for all the crappy sites that require you to create a user account just to read a forum or blog. I use a stronger password for any "real" sites I use. I use a unique 12+ character password with 2-factor authentication for each bank I have an account with. I use my "hardest" password for my personal email. Personally, I think that your personal email should be the most secure password/account you own. Don't agree? Is it just email? NO. Practically any site that has a reset protocol requires that it sends a password link or code to your email. If that is compromised, your bank may well be too.
Give me your home email + your public facebook info(ie pet's name, child's name, highschool attended, etc and someone can get into your bank with the "Forgot Password" link. Make that the most secure.
Get it yet?
where users need to use a code submitted to a pre-registered mobile phone
Screw that. No, websites, you may not have my phone number. No, you may not send me SMS messages. No, I don't always have my phone with me; it does not always have service (like, for example, inside my vacation home); it is not always charged or on.
Mobile phones are a lousy choice for 2FA. They have far too many failure modes.
Dedicated tokens avoid some of those issues, but they're still inconvenient, can be lost or stolen (particularly an issue with e.g. RSA SecureID tokens, less so with smartcards), and are often tied to a single authenticator.
Passwords are an abysmal authentication mechanism. We've known that for decades. But the industry has not done a good job of coming up with anything better. It can't be solved without some additional cost to the user, but we haven't gotten anywhere close to optimizing that cost.
Jesus Christ. You better have some respect, talking about your friends across the water. You're talking about one of our greatest leaders now Mark Zuckerberg.
Mind your own fucking business. I am not kidding.
Princetastic, Mark is a real live Hand of God / King you don't think so?
Biting the hand that feeds IT © 1998–2019