Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

eBay Japan Passwords Revealed As Username+123456

timothy posted about 5 months ago | from the oopsie-daisy dept.

Japan 80

mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with visual aids.

cancel ×

80 comments

Sorry! There are no comments related to the filter you selected.

Hey (5, Funny)

CheezburgerBrown . (3417019) | about 5 months ago | (#46595519)

That's the same password as my luggage!

Re:Hey (5, Interesting)

marcansoft (727665) | about 5 months ago | (#46596519)

Sorry for the threadjack, but this is yet another case of horrible security reporting.

From watching the video, what it seems happened here was that eBay chose phpBB for their community forum, but did not integrate its authentication system directly with eBay's on the server side. Instead, the site was set-up as a standalone system, and whoever implemented the integration had the bright idea of hardcoding the forum password for everyone as username+123456, and then just having the eBay login page issue a hidden POST request behind the scenes to authenticate users to the community forum section.

Thus, this allows anyone to trivially impersonate anyone else on the forum. It shouldn't have anything to do with the rest of the site, though. Nor does this have anything to do with initial passwords, salts, or any of the other terms that have been thrown around.

A case of absolutely retarded login integration for the community site, but not something that would allow people to take over others' main eBay account. What this says about the people running eBay is another matter entirely...

Thanks (0)

Anonymous Coward | about 5 months ago | (#46597443)

I was wondering the text made no sense whatsoever.

Re:Hey (1)

phantomfive (622387) | about 5 months ago | (#46599667)

Thankyou so much for reading the article and figuring that out so I didn't have to. :)

Re:Hey (1)

ArsenneLupin (766289) | about 5 months ago | (#46601133)

and whoever implemented the integration had the bright idea of hardcoding the forum password for everyone as username+123456, and then just having the eBay login page issue a hidden POST request behind the scenes to authenticate users to the community forum section.

... which means that even if the salt had been something else than +123456, it wouldn't really have been more secure, as that "hidden" POST request would have been present in some web resource (html, javascript) downloaded to the end user's browser...

Re:Hey (1)

blueg3 (192743) | about 5 months ago | (#46602085)

They're not talking about a fixed value that's different from "+123456". They're talking about using a different, random value for each user. That is more secure. (There's still plenty of security problems, but it's better than every user's password being completely predictable.)

Of course, if you're bothering to store a different random value for each user, there's no reason to include their username in the password. Just store a long random password for each user. (That's still not great security -- never mind that the password is exposed in cleartext and transmitted over HTTP -- because a user can't change a compromised password.)

Re:Hey (1)

Adriax (746043) | about 5 months ago | (#46597519)

Prepare eBay One for immediate departure.
And change the combination on my luggage!

Re:Hey (0)

Anonymous Coward | about 5 months ago | (#46615371)

I cracked it at ludicrous speed!

Obligatory (5, Funny)

hey! (33014) | about 5 months ago | (#46595523)

....That's amazing! I've got the same combination on my luggage!

Re:Obligatory (1)

ArcadeMan (2766669) | about 5 months ago | (#46595617)

I wish I had mod points because unlike CheezburgerBrown above, you made a direct quote from the movie.

Re:Obligatory (1)

lucm (889690) | about 5 months ago | (#46599533)

I wish I could take back that google search I just did and live in the blissful oblivion of not knowing from what movie that quote came from. Now I'm tainted.

Re:Obligatory (5, Interesting)

ArcadeMan (2766669) | about 5 months ago | (#46595649)

You just gave me an idea.

Alright everyone, LISTEN UP!

If a user tries to use "12345" for his password, return an error message exactly as follows:
"1,2,3,4,5? ....That's amazing! I've got the same combination on my luggage!"

Now go and implement this on your systems, whatever they may be. I don't care if your code systems for banks, the NSA or whatever. It shall be known as "Spaceballs: The Error Message".

Re: Obligatory (1)

TheDarkMaster (1292526) | about 5 months ago | (#46595979)

Dude, is a really good idea :-D

Re:Obligatory (2, Insightful)

Anonymous Coward | about 5 months ago | (#46595999)

Introducing easter eggs is enough to get fired, if your employer takes quality seriously.

Introducing an idea to add proper entropy calculation of all passwords can help you get a raise. Of course, if you implement it by "if char.isUpper(): entropy += 5" then you should also be fired...

Re:Obligatory (4, Funny)

0racle (667029) | about 5 months ago | (#46596289)

Then code a quality easter egg with full test cases and stellar documentation.

Re:Obligatory (0)

Anonymous Coward | about 5 months ago | (#46598773)

Then code a quality easter egg with full test cases and stellar documentation.

Oblig: "It's a feature, not a bug!"

Re:Obligatory (1)

roman_mir (125474) | about 5 months ago | (#46596047)

Just did it in my shining brand new mail forwarding (shipping/logistics) system that's coming out in a few weeks (almost 7 months in development :)

Re:Obligatory (1)

antdude (79039) | about 5 months ago | (#46596111)

I would do that if I knew how to code. :P

Re:Obligatory (1)

Anonymous Coward | about 5 months ago | (#46596527)

I'm totally going to see if I can do this. I'm the guy who would implement this kind of thing where I work. It's supposed to be a highly-secure system, and management and our customers might not actually mind in our case.

Re:Obligatory (0)

Anonymous Coward | about 5 months ago | (#46596839)

Me too. Is a funny way to enforce some password strenght

I'm sorry, what? (2, Funny)

Anonymous Coward | about 5 months ago | (#46595525)

Do you not get to change your eBay password... in Japan?

captcha: nipple. OK, that was worth it.

Obligatory (-1)

Anonymous Coward | about 5 months ago | (#46595537)

That's amazing! I have the same combination on my luggage!

That's amazing! (-1)

Anonymous Coward | about 5 months ago | (#46595549)

I've got the same combination on my luggage.

Spaceballs: The Comment! (5, Funny)

broginator (1955750) | about 5 months ago | (#46595573)

I too have seen Spaceballs.

Spaceballs: The Reply (1)

ArcadeMan (2766669) | about 5 months ago | (#46595629)

I love the title of your post, but I'm out of mod points.

Spaceballs: The Flamewar (1)

GoodNewsJimDotCom (2244874) | about 5 months ago | (#46599781)

Which would you want to see more: The sequel to History of the World part 2, or Spaceballs: Episode Zero?

Spaceballs: A New Reply (1)

ArcadeMan (2766669) | about 5 months ago | (#46599923)

Spaceballs 2: The Search for More Money.

Re:Spaceballs: The Comment! (1)

Anonymous Coward | about 5 months ago | (#46595661)

Ah, so you're the one...modding down all the comments.

Why was the initial password still being used? (4, Insightful)

Todd Knarr (15451) | about 5 months ago | (#46595579)

If the password was set by the system, either during a password reset or initial account creation, the first thing I do is change the password to a random one my password manager program's generated. Why were these accounts still using the system-created password? Also, the article seems to conflate two uses of the term "salt": the random nonce used to insure the stored hash value isn't the same for two different accounts that picked the same password, and the random string used in the plaintext of the initial password to avoid a trivially-guessable "password same as username"-type case. The two aren't at all the same.

looks like both. password = crypt(username+salt) (4, Informative)

raymorris (2726007) | about 5 months ago | (#46595689)

My interpretation is that they used a) as b), which should be fine if the salt was actually salty. I think they did:

  default_password = crypt(username+salt)

That would be fine if they used real salt (random), but instead they used Mrs. Dash salt substitute.

Oblig. (1)

Anonymous Coward | about 5 months ago | (#46596237)

XKCD [xkcd.com]
How do you know it's not random? [dilbert.com]

Re:looks like both. password = crypt(username+salt (1)

Solandri (704621) | about 5 months ago | (#46598657)

It's actually not a problem if you force users to change their password upon their first login. It's stupid, but it's not a problem. The worst that can happen is that someone can hijack an account/username that's never been used before.

true, but force change causes a problem (1)

raymorris (2726007) | about 5 months ago | (#46599199)

That's true. Forcing users to change the password upon first login does create one problem though. Some users are accustomed to referring back to the initial email or their notes to find the password. Those users keep trying to use the default password after the first time. The system I'm responsible for is set up that way and the help desk LOVES getting all of those calls.

I should see about changing that. It was set that way when I started this job.

wait a minute... (4, Funny)

slashmydots (2189826) | about 5 months ago | (#46595589)

Wait so in the US most passwords (and server names and PC names and switch names and domain names) are Anime characters or related to Animes and in Japan they chose 123456? What the hell?

Re:wait a minute... (2)

lgw (121541) | about 5 months ago | (#46595645)

In Japan they don't obsess so much over children's cartoons? Who knew! I'll have you know the last time I ran a lab everything was named after American kids cartoons - America, fuck yeah!

Re:wait a minute... (2)

crgrace (220738) | about 5 months ago | (#46595877)

When I was an undergrad our Unix labs had every computer named after a cartoon character. All Hanna-Barbara characters too. I liked to use dino because it was fewer characters to type.

Re:wait a minute... (2)

PopeRatzo (965947) | about 5 months ago | (#46596357)

That's nothing. I'm so old that when I was in college all our servers were named after Greek gods.

And our desktops were clay tablets.

Re:wait a minute... (1)

poetmatt (793785) | about 5 months ago | (#46596523)

Zeus has 99.97% uptime in our environment.

Re:wait a minute... (1)

davydagger (2566757) | about 5 months ago | (#46600339)

threee nines, fucking ametures.

five nines is the fucking standard.

Re:wait a minute... (1)

Anonymous Coward | about 5 months ago | (#46600667)

threee misteaks in you're reply.

Re:wait a minute... (0)

Anonymous Coward | about 5 months ago | (#46602161)

too mistakes in yours

Re:wait a minute... (1)

almitydave (2452422) | about 5 months ago | (#46596623)

And our desktops were clay tablets.

We're swerving pretty far off-topic here, but has anyone made a clay tablet computer? Seriously even a clay tablet case with cuneiform writing on it would be neat. I can't find anything on teh googles.

Re:wait a minute... (1)

Redmancometh (2676319) | about 5 months ago | (#46597001)

All our stacks in college were named after Simpson characters

Re:wait a minute... (0)

Anonymous Coward | about 5 months ago | (#46595895)

Because in Japan, anime and manga doesn't mean that it is for children?

Re:wait a minute... (1)

lgw (121541) | about 5 months ago | (#46596021)

Anime is just TV in Japan, generally targeted at teenagers. Most manga is similar. Many US printed comics have moved their target audience from ~10 to ~15 in recent decades (much thanks to Frank Miller and Neil Gaiman and Alan Moore for elevating the tone), but American cartoons are just starting to make the jump from younger kids to teens. But none of the mainstream stuff is really targeted at adults.

(As an aside, Superman in particular has really struggled with this, with sometimes inspired results. It was a great property for young boys, but taking the character seriously made it very hard to write any sort of convincing plots. But the best art often comes from constraints, and some of the IMO top American comic stories have come from that: he may be impossibly powerful, but he can still be faced with an interesting moral dilemma.)

Re:wait a minute... (1)

AmiMoJo (196126) | about 5 months ago | (#46601287)

In Japan anime isn't just for kids. I'm not talking about porn either, there are shows for all ages and generas. Manga is even more diverse. There are huge monthly manga books with 500+ pages just containing stories about people playing mahjong or go.

Re:wait a minute... (1)

slashmydots (2189826) | about 5 months ago | (#46601703)

Almost all anime is designed for adults, you clueless troll.

Re:wait a minute... (0)

Anonymous Coward | about 5 months ago | (#46595693)

The secret here is that all japanese are otakus - they love games, anime, music, etc....

But their college to job culture is fucked up. In their 4th year of college, they have to suppress any hobbies such as games or anime so that potential employers see that they are only dedicated to their new possible job, no matter what it is.

They also do not get a job based off their college degree most of the time.

Re:wait a minute... (2)

Nidi62 (1525137) | about 5 months ago | (#46595775)

Wait so in the US most passwords (and server names and PC names and switch names and domain names) are Anime characters or related to Animes and in Japan they chose 123456? What the hell?

Maybe ebay knew that Japanese people love to travel, so this would be easy for them to remember because it's probably the same combination as their luggage?

PASSWORD (0)

Anonymous Coward | about 5 months ago | (#46595593)

LUGGAGE DAMMIT

Elon Musk's Spaceship (-1)

Anonymous Coward | about 5 months ago | (#46595621)

It takes a seller 60 days to collect their money from ebay/paypal after selling an item. Yes, 60 whole days before you see a single cent from your sale.

But Elon Musk has a spaceship!

Re:Elon Musk's Spaceship (0)

Anonymous Coward | about 5 months ago | (#46595899)

It takes a seller 60 days to collect their money from ebay/paypal after selling an item. Yes, 60 whole days before you see a single cent from your sale.

But Elon Musk has a spaceship!

What the hell are you talking about?

Captcha: Musk

Re:Elon Musk's Spaceship (0)

Anonymous Coward | about 5 months ago | (#46595997)

http://www.spacex.com/falcon9

Re:Elon Musk's Spaceship (1)

Anonymous Coward | about 5 months ago | (#46596907)

Thanks, because that was the part of the GPs comment that made no fucking sense

I'm rich! (1)

roc97007 (608802) | about 5 months ago | (#46595671)

I just sold my 1971 Pinto to Hiroto Takahashi for 25,532,500 yen! Plus shipping!

Re:I'm rich! (1)

Anonymous Coward | about 5 months ago | (#46595773)

I just sold my 1971 Pinto to Hiroto Takahashi for 25,532,500 yen! Plus shipping!

You know, a quarter million USD doesn't go very far these days. Don't quit your day job.

visual aids (-1, Troll)

kruach aum (1934852) | about 5 months ago | (#46595849)

No, I think this was a case of someone suffering from mental AIDS.

Not salt (5, Informative)

blueg3 (192743) | about 5 months ago | (#46595857)

It looks from the video that the password is simply the username concatenated with a global string, "123456".

That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.

So all these discussions of salt are not at all relevant.

This is fundamentally a case of hard-coded credentials [mitre.org] , which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)

Re:Not salt (4, Funny)

jxander (2605655) | about 5 months ago | (#46595905)

We'll call this "just a pinch of salt"

Re:Not salt (2)

hawguy (1600213) | about 5 months ago | (#46595981)

It looks from the video that the password is simply the username concatenated with a global string, "123456".

That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.

So all these discussions of salt are not at all relevant.

This is fundamentally a case of hard-coded credentials [mitre.org] , which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)

I was wondering about that too -- from the description it didn't sound like a salt, I thought the summary was inaccurate (nearly unheard of on Slashdot!), but TFA said the same thing.

Sounds like someone knew enough about cryptography to be dangerous and though that any random (or not) string added to the plaintext password is a salt.

Re:Not salt (-1)

Anonymous Coward | about 5 months ago | (#46596217)

That's not salt.

It certainly isn't. You have to wonder why exactly the Republicans are pushing this lie. I guess their reasoning is their usual paranoid hatred of security.

Re:Not salt (0)

Anonymous Coward | about 5 months ago | (#46596353)

They encrypt "username123456" to generate the password. The result is a random looking but not actually random password.

Random? (2)

Anonymous Coward | about 5 months ago | (#46596053)

How do they know that 123456 wasn't generated at Random? It has the same probability of occurring as any other 6 digit random number...

Re:Random? (1)

Lehk228 (705449) | about 5 months ago | (#46597657)

rand(){ return 4;} // genuine random number chosen by dice roll

Same for all Four Users? (3, Insightful)

fullback (968784) | about 5 months ago | (#46596197)

I've lived in Japan for over 20 years and I, like probably most people in Japan, didn't know it even existed.

Re:Same for all Four Users? (0)

Anonymous Coward | about 5 months ago | (#46600355)

Because it doesn't. eBay Japan was shut down long ago, because it couldn't compete with (which I'm sure you know, and you probably use).

Re:Same for all Four Users? (0)

Anonymous Coward | about 5 months ago | (#46601349)

Wow! It couldn't compete with?! That's pretty bad. I mean, if you can't compete with, you can't really compete with anything.

I'd love to click the link but... (0)

Anonymous Coward | about 5 months ago | (#46596379)

I dont want aids.

so they got mine (0)

Anonymous Coward | about 5 months ago | (#46596595)

my password was 12345

so now its 1234512345
haha

Almost-best practices (1)

tepples (727027) | about 5 months ago | (#46596819)

From the crackstation.net article:

For the same reason, the username shouldn't be used as a salt. Usernames may be unique to a single service, but they are predictable and often reused for accounts on other services. An attacker can build lookup tables for common usernames and use them to crack username-salted hashes.
[...]
The next step is to add a secret key to the hash so that only someone who knows the key can use the hash to validate a password.

One site I've worked on uses the user ID, username, join date/time, and a secret per-site string as the salt for the password. User IDs are sequential and can be sort of guessed from the join date, but I'm under the impression that there's enough entropy in the minutes and seconds of the join date/time, and the secret per-site string keeps the lookup table from applying to more than one site.

Don't do that, because it lets the bad guys check if a username is valid without knowing the password.

The bad guys can already do that by trying to register an account with that username or by trying to send a private message to that username.

The denial of service threat [from key stretching] can be eliminated by making the user solve a CAPTCHA every time they log in.

Which makes it impossible for blind people to use the web application.

The token [in an e-mail password reset means] must be set to expire in 15 minutes or after it is used, whichever comes first.

Why 15 minutes? Some e-mail systems have been known to take longer than that to deliver a message. The site I've worked on uses a 24-hour expiry for these random one-time temporary passwords.

Re:Almost-best practices (1)

Lehk228 (705449) | about 5 months ago | (#46597675)

>2014
>still making the public display name and login name the same

Re:Almost-best practices (1)

tepples (727027) | about 5 months ago | (#46597801)

Matters not. You can test for validity of a public display name by trying to send a private message, and you can test for validity of a login name by attempting to register it.

Re:Almost-best practices (1)

Lehk228 (705449) | about 5 months ago | (#46599161)

one to one you can, but if you try that on a scale of thousands it will be clearly a hacking attempt

Re:Almost-best practices (1)

blueg3 (192743) | about 5 months ago | (#46602159)

One site I've worked on uses the user ID, username, join date/time, and a secret per-site string as the salt for the password. User IDs are sequential and can be sort of guessed from the join date, but I'm under the impression that there's enough entropy in the minutes and seconds of the join date/time, and the secret per-site string keeps the lookup table from applying to more than one site.

The function of salt is to make password cracking efforts more difficult when the attacker has access to the site's password database. So, predictability is not as important, since all the listed information is available to the attacker anyway. (Similarly, the salts are available to the attacker.) That doesn't look like much entropy, though. Really, storing an extra column of random, per-user salts in a database is not particularly hard and has tangible (though not magical) benefits.

The bad guys can already do that by trying to register an account with that username or by trying to send a private message to that username.

Yeah. IMO, usernames should never be relied on for security. Just assume an attacker can determine what usernames are taken and which aren't, and further assume that an attacker with a particular target can figure out the username for that target. (Unless pseudonymity is a key design aspect of your system.)

Yuo fa1l 1t (-1)

Anonymous Coward | about 5 months ago | (#46597925)

non nigger patrons 8uch organisation, HAVE THEIR MOMENTS Let's keep to

crappy reporting, crappy editing (1)

Anonymous Coward | about 5 months ago | (#46599175)

Uh, that's not a salt, it's a crappy password. A salt's purpose is to make hash(salt, value) result in something different than hash(salt2, samevalue). This protects against attacks against disclosed password databases. Also, for a salt, the user never types it in. The salt is stored near the password hash, is randomly generated by the application, and is never seen by the user.

On the other hand, this is a default (or possibly hard coded) password. In this case, the user types in their username concatenated with the common string 123456 go enter their password. Totally different place in the application. This has absolutely nothing to do with the password storage, nothing to do with the existence or lack of a secure hashing algorithm, and nothing to do with the existence or lack of or existence of a salt.

Can't slashdot editors, ya know, fucking edit? it's been how many years now, and they still let crap like this through without any editing? i, for one, would never hire a slashdot editor for any job.

It's called sabotage (0)

Anonymous Coward | about 5 months ago | (#46599227)

It's the kind of stuff Asian people do all the time. It's not their company. It competes with their companies and so Japanese workers there quickly bite the hand that feeds them and do that. It's all they do..

This summary should... (0)

Anonymous Coward | about 5 months ago | (#46600919)

...be taken with a grain of salt.

salt? (0)

Anonymous Coward | about 5 months ago | (#46602955)

like the kind you put on food? Salt is a mineral substance composed primarily of sodium chloride (NaCl), a chemical compound belonging to the larger class of ionic salts; salt in its natural form as a crystalline mineral is known as rock salt or halite.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>