Odd rash of brute-force hacks…
A year to the day that I wrote the last update to our insecure password saga, we still haven’t fixed the password change code to at least run the security check on the first eight characters rather than run the security check on the 30-character password and then silently discard everything after eight characters.
This morning, during our weekly network meeting, the help desk reported that they’d been getting a large number of hacked account passwords over the last week sending spam. Oddly, the hacks didn’t appear to be the result of phishing attempts. “It looks like a brute force attack on passwords,” they said.
“Just a note,” I said, “our password system is extremely easy to brute-force, because we truncate secure passwords to 8-character insecure passwords without telling them. If a user sets their password to, say, password4Me at USD exclamation, and some random characters, we tell them it’s secure and then we truncate it to just ‘password’. There are several people who have very simple passwords like that.”
“We’ll be switching to a secure version of LDAP very soon,” said the person who is, in fact, doing a great job at bringing our new LDAP system online.
About a minute later, after another person described the process when an account is hacked, and how they’d been working hard to block the accounts and let the account owners know that their account had been hacked—
“And maybe now they’ll change their password.”
Guys, this time it ain’t necessarily the user’s fault.
In response to Embarrassing password tricks: Never trust anyone over 30 characters.