OT: Doing It Wrong

203 views
Skip to first unread message

Brandon Wirtz

unread,
Dec 30, 2011, 3:10:08 AM12/30/11
to google-a...@googlegroups.com

This was too much not to share.

 

I was talking a company today that is using Password hashing to keep their user’s passwords “safe”.  They were using Bcrypt.

 

Given the performance hit that using Bcrypt has I was surprised how many users they were able to support on very few CPUs.

 

“We have a Translation Table. Look ups are faster than calculating the hash, so we check the look up table before we calculate the hash that we are going to authenticate against.”

 

Pulling up the translation table gave the plain Text of every User and Password in their system. Along with all of the old usernames and passwords of those users. 

 

Apparently the idea was one the out sourced development company had “Deployed to hundreds if not thousands” of sites, and “it had never been a problem before”.

 

You can have the best locks on your doors, but if you leave the sliding glass window open they aren’t doing you any good.

 

 

Brandon Wirtz
BlackWaterOps: President / Lead Mercenary

Description: http://www.linkedin.com/img/signature/bg_slate_385x42.jpg

Work: 510-992-6548
Toll Free: 866-400-4536

IM: dra...@gmail.com (Google Talk)
Skype: drakegreene

BlackWater Ops

 

 

 

image001.jpg

Rohan Chandiramani

unread,
Jan 2, 2012, 4:44:04 AM1/2/12
to google-a...@googlegroups.com
I don't even understand how people can come up with this stuff... even a high school student knows better than that.
Still gave a good laugh though!

Paul

unread,
Jan 2, 2012, 2:11:10 PM1/2/12
to Google App Engine
While we are at it - what would you suggest to be a most efficient
solution on App Engine? Is bcrypt too heavy?

On Dec 30 2011, 9:10 am, "Brandon Wirtz" <drak...@digerat.com> wrote:
> This was too much not to share.
>
> I was talking a company today that is using Password hashing to keep their
> user's passwords "safe".  They were using Bcrypt.
>
> Given the performance hit that using Bcrypt has I was surprised how many
> users they were able to support on very few CPUs.
>
> "We have a Translation Table. Look ups are faster than calculating the hash,
> so we check the look up table before we calculate the hash that we are going
> to authenticate against."
>
> Pulling up the translation table gave the plain Text of every User and
> Password in their system. Along with all of the old usernames and passwords
> of those users.
>
> Apparently the idea was one the out sourced development company had
> "Deployed to hundreds if not thousands" of sites, and "it had never been a
> problem before".
>
> You can have the best locks on your doors, but if you leave the sliding
> glass window open they aren't doing you any good.
>
> Brandon Wirtz
> BlackWaterOps: President / Lead Mercenary
>
> IM: drak...@gmail.com (Google Talk)
> Skype: drakegreene
>
>  <http://www.blackwaterops.com/> BlackWater Ops
>
>  image001.jpg
> < 1KViewDownload

Jeff Schnitzer

unread,
Jan 2, 2012, 2:25:40 PM1/2/12
to google-a...@googlegroups.com
On Mon, Jan 2, 2012 at 11:11 AM, Paul <pgronk...@gmail.com> wrote:
> While we are at it - what would you suggest to be a most efficient
> solution on App Engine? Is bcrypt too heavy?

My advice is not to bother with all that crap. Use BrowserID anywhere
you would use a username/pw instead.

I recently replaced the local username/pw part of my dual-auth system
(FB being the other) with BrowserID. The user experience is way
better than any other local auth system I've seen, including ours -
which was pretty damn nice.

http://www.browserid.org/

Jeff

Brandon Wirtz

unread,
Jan 2, 2012, 3:31:53 PM1/2/12
to google-a...@googlegroups.com
I don't like Browser ID, OpenID, Oauth solutions because I can put a form on
a page that looks just like one, get your pass, and then look at which sites
you have cookies for and instantly know which sites I have your User/Pass
for.

Unified login might be fine for protecting your Facebook... but SOME COMPANY
I won't say who but it rhymes with Moogle. Recently unified my logins so
where I used to have a Password for my Mail, a Password for my YouTube, a
Password for my Adsense, and a Password for Adwords. Today if you hack my
Plus account you could spend $100k on adwords against your website, making
me poorer, and you richer.

Unified Login is for convenience not security. You might as well guard your
site with a note that says "do not hack me it isn't nice"

-Brandon

http://www.browserid.org/

Jeff

--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to google-a...@googlegroups.com.
To unsubscribe from this group, send email to
google-appengi...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.


Barry Hunter

unread,
Jan 2, 2012, 3:35:35 PM1/2/12
to google-a...@googlegroups.com
On Mon, Jan 2, 2012 at 8:31 PM, Brandon Wirtz <dra...@digerat.com> wrote:
and then look at which sites
you have cookies for

How? 

Brandon Wirtz

unread,
Jan 2, 2012, 3:54:55 PM1/2/12
to google-a...@googlegroups.com

I’m not sure I’m willing to post that. But the hint is that sites you don’t have cookies for will redirect you to a login page.

 

 

 

From: google-a...@googlegroups.com [mailto:google-a...@googlegroups.com] On Behalf Of Barry Hunter
Sent: Monday, January 02, 2012 12:36 PM
To: google-a...@googlegroups.com
Subject: Re: [google-appengine] Re: OT: Doing It Wrong

 

 

On Mon, Jan 2, 2012 at 8:31 PM, Brandon Wirtz <dra...@digerat.com> wrote:

 

--

Jeff Schnitzer

unread,
Jan 3, 2012, 2:18:30 AM1/3/12
to google-a...@googlegroups.com
The flip side of this argument is that by typing in a username &
password on a zillion websites, your credentials are exposed when any
of those websites are compromised.

Some people argue that you should use a unique username and password
on each site. Those people live in a fantasy world populated with an
entirely different species of human than the one I live in. The
"average internet user" uses the same password for banking as they do
for their porn viewing, and it will take maoist-style re-education
camps to change that.

Nothing stops you from creating separate moogle accounts for various
services, so *your* security is not compromised in any way. But
taking passwords out of the hands of crappy PHP forums around the
world would be a big step in making the internet as a whole more
secure.

Also: Since all those services have "reset password" features
associated with your email address, even having separate
username/passwords for each doesn't really get you any additional
security. It all comes down to securing the email address. BrowserID
is rad because it's a more elegant way of handling this email address
association.

Jeff

--
We are the 20%

Rohan Chandiramani

unread,
Jan 3, 2012, 4:00:21 AM1/3/12
to google-a...@googlegroups.com
But then in the case of you creating such a fake from, it's user's fault for not checking the url/ssl connection?
Tbh i'd rather see a google login for every major service i use, the credentials are safer than most sites and like you said it's very convinient.

If I were to lose that google account, it would be my own fault. instead of let's say... my EA account was hacked because a silly sql injection and my password being hashed with fabulous MD5 for all to see.

So in a nutshell with unified logins the server side is safer, using it properly is your responibility... Don't you agree? 

Brandon Wirtz

unread,
Jan 3, 2012, 4:07:29 AM1/3/12
to google-a...@googlegroups.com
I have unique passwords for every site. I use a common base but have a
system for the name of the site being in the pass.

Base= MyPassW0rd
Google = MyPassGoogleW0rd

I also have "throw away" and "Attached to Money" passwords. And Attached
to Money is even more complex.

I self manage I don't use a password locker.

I have had trouble when sites rebrand.

Brandon Wirtz

unread,
Jan 3, 2012, 5:51:48 AM1/3/12
to google-a...@googlegroups.com

Lots of times there is a form on the page and the whole go out to where ever and authenticate with a token doesn’t happen.

 

It is hard to blame a user for taking the “Login using face book” in a blue form on the page. 

 

 

 

From: google-a...@googlegroups.com [mailto:google-a...@googlegroups.com] On Behalf Of Rohan Chandiramani
Sent: Tuesday, January 03, 2012 1:00 AM
To: google-a...@googlegroups.com
Subject: Re: [google-appengine] Re: OT: Doing It Wrong

 

But then in the case of you creating such a fake from, it's user's fault for not checking the url/ssl connection?

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/OQC-Gu0uf8wJ.

Rohan Chandiramani

unread,
Jan 3, 2012, 7:06:24 AM1/3/12
to google-a...@googlegroups.com
A simple checklist of:

Oh look, an openid login. Let's press the google button

1. Did i get sent to a different page? 
2. Does it say *.google.com ?
2. Is there a lock / green url ?

If all questions are answered with yes, It's most likely legit.

If the user is unable to do this, it is his own fault.

Even the elderly around here know about this checklist and do safe internet banking with it.

In any case, all the cool kids are moving to openID nowadays...

Brandon Wirtz

unread,
Jan 3, 2012, 8:43:21 AM1/3/12
to google-a...@googlegroups.com
Oh? And How do I know if Flickr.com is a Yahoo Propery?
Or Youtube is a Google Property?

Is Google.Ly a legit Property?

Does my Google.co.uk login work on Google.com?


How am I supposed to keep up with the full list of Google Properties?

21150.com
3576.net
38389438.com
466453.com
7sou.com
95539.com

adsbygoogle.com
adsense.net
adwords.com
adwords.net
adwords.org
adwordselect.com
adwordsexample.com
adwordsgoogle.com
adwordsselect.com
adwords-select.com
adwordsselect.net
adwordsselect.org
akwan.com
allevil.org
altos.us
android.com
answergoogle.com
answer-google.com
answersgoogle.com
answers-google.com
appliedsemantics.com
appsem.com
apsem.com
arabgoogle.com
arabicgoogle.com
askgoogle.com
atlantis9.org
averitablebevy.com

bakuhatsu.net
bigcitysmallbank.com
blogger.com
blogspot.com
bon-vivant.net
book300.com

canalportugal.info
cashexperiment.com
catalogsgoogle.com
chinagoogle.com
clinilab.net
cobrasearch.com
conversionuniversity.com
crotales.com

dbanks.org
deja.com
deja.net
dejadiscussion.com
dejadiscussions.com
deja-discussions.com
dejanews.com
dejanews.net
dejanews.org
dejastinks.com
dejastinks.net
dejasucks.net
dejatracker.com
deja-tracker.com
delsolpm.net
divesfl.com
dmarc.net
dodgeball.com
dontswitch.com

e17.org
earthender.com
earthender.net
earthrender.com
earthrender.net
earthstream.com
earthviewer.com
earthviewer.net
earthviewer.org
elgoog.com
elgoog.net
elgoog.org
eperfumez.com
e-perfumez.com
expire.ws

firehunt.com
floralartbyamy.com
foofle.com
fourth-party.com
fourthparty.net
fourth-party.net
fourthparty.org
fourth-party.org
fridata.net
froogel.com
froogle.com
froogol.com
frooogle.com

g00gle.com
gbrowser.com
gbrowser.net
gbrowser.org
gcalendar.com
gchat.biz
gchat.us
gdrive.com
gethealed.org
gewgle.com
gewgol.com
gg-center.net
ggoogle.com
ggooglers.net
ggooglers.org
ghut.org
gigagoogle.com
gigagoogle.net
gigagoogle.org
globalgamerscenter.net
globalgamers-center.net
globalgames-center.net
gmail.com
gmmgjd.net
gmmgjd.org
gmmgjdwap.com
gmodule.com
gmodules.com
gngjd.com
gogle.com
gogole.com
googel.com
googil.com
google.biz
google.com
google.info
google.net
google.org
google.us
google.ws
google1.com
google2.com
google3.com
google4mp3.com
googleaccelerator.com
googleaccess.com
google-access.com
googleadsense.com
googleadservices.com
googleadult.com
googleadvancedsearch.com
googleanalytic.com
googleanalyticas.com
googleanalytics.com
google-analytics.com
googleanswer.com
google-answer.com
googleanswers.com
google-answers.com
googlearabic.com
googlearchive.com
googlearchives.com
googlearth.com
googlebase.com
googlebay.com
googleblog.biz
googleblog.com
googleblog.info
googleblog.net
googleblog.org
googleblows.com
googleblows.net
googleblows.org
googlebot.com
googlebox.biz
googlebox.com
googlebox.info
googlebox.net
googlebox.org
googlebrowserbutton.com
googlebrowserbuttons.com
googlebucks.com
googlebutton.com
googlebutton.net
googlebutton.org
googlebuttons.com
googlebuy.com
googlebuy.info
googlebuy.net
googlebuy.org
googlebuyers.com
googlecache.com
googlecalendar.net
googlecatalog.com
googlecatalogs.com
googleclips.com
googlecom.com
google-compute.com
googlecompute.com
googlecompute.net
googlecompute.org
googlecomputers.com
googlecomputing.com
google-computing.com
googledesktop.com
google-desktop.com
googledigital.info
googledigital.net
googledigital.org
googledirectory.com
googledirectory.net
googledirectory.org
googledoodle.com
googledoodle.net
googledoodle.org
googlee.com
googleearth.com
googleearth.info
googleearth.net
googleearth.org
googlefoundation.com
googlefoundation.net
googlefoundation.org
googlegear.com
googlegear.net
googlegear.org
googlegoods.com
googlegroups.com
googleguy.com
googleimageads.com
googleimages.com
googleimagesearch.com
google-inc.com
googleinstantmessenger.com
googleit.com
googleit.net
googleit.org
googlejobs.com
googlejobs.net
googlejournals.com
googlelabs.info
googlelabs.net
googlelabs.org
googlelecture.com
googlelibrary.com
googlelibrary.info
googlelibrary.net
googlelibrary.org
googlelocal.net
googlelocal.org
googlemagazines.com
googlemagazines.info
googlemagazines.net
googlemagazines.org
googlemail.biz
googlemail.com
googlemail.info
googlemail.org
googlemail.us
googlemaps.com
googlemaps.org
googlemastercard.com
googleme.com
googlemicrofilm.com
googlemicrofilm.info
googlemicrofilm.net
googlemicrofilm.org
googlemotherfucker.com
googlemovie.info
googlemovie.net
googlemovie.org
googlemovies.info
googlemovies.net
googlemovies.org
googlemusic.com
googlenews.net
googlenews.org
googlenum.com
googleoogle.com
googleoogle.net
googleoogle.org
googlepage.org
googlepapers.com
googlepapers.info
googlepapers.net
googlepapers.org
googleplex.com
googleplex.org
googleplus.com
googleporn.com
googleprint.biz
googleprint.com
googleprint.info
googleprint.net
googleprint.org
googleprint.us
googleproxy.com
googlequiz.com
googlequiz.net
googlequiz.org
googlereader.com
google-reader.com
googlereader.info
google-reader.info
googlereader.net
google-reader.net
googlereader.org
google-reader.org
googleregistrar.com
googlesatellite.com
googlesatellite.info
googlesatellite.net
googlesatellite.org
googlescholar.com
googlesearch.com
googlesearch.net
googleseek.com
googlesex.com
googlesex.info
googleshopping.com
googleshopping.net
googleshopping.org
googlesidebar.com
googlesidebar.net
googlesidebar.org
googlesimplex.com
googlesms.biz
googlesms.info
googlesms.net
googlesms.org
googlesms.us
googlesponsoredlinks.com
googlestore.com
googlestuff.com
google-stuff.com
googlesucks.com
googlesucks.net
googlesucks.org
googlesyndication.com
googletalk.info
googletalk.net
googletalk.org
googletoolbar.com
googletv.com
googletv.net
googletv.org
googlevideo.biz
googlevillage.com
googlewifi.info
googlewifi.net
googlewifi.org
googlewireless.info
googlewireless.net
googlewireless.org
googleworld.org
googli.com
googlie.com
googlr.com
goolge.com
gooogle.com
gotgoogle.com
gppgle.com
gppglr.com
groupsgoogle.com
gtalkr.com
guugle.com
guugle.org
guyindia.com

habsplanet.com
ho.org
howtobuyaweddingring.com

igoogle.com
igoogle.net
igoogle.org
infrareddesigns.com
issamghanwi.com

jamesallen.org
janinaordmann.com
janina-ordmann.com
jenniferwanderer.com
jennifer-wanderer.com
jinjilake.net

kaltix.com
kaltix.net
kaltix.org
kangkang.biz
karsanadolulisesi.com
karsfenlisesi.com
kazimierczuk.net
kedrowski.com
keyhole.com
keyholecorp.com
keyholecorp.net
keyholecorp.org
kimphotosoftware.com

latiff.biz
lifescapeinc.com
loizzos.com
lorcanmurray.com
lrgx.com

m4cs.net
mainechaos.com
margin15.com
markfong.com
measuremap.com
measuremap.net
measuremap.org
minzhu.org
mobilegoogle.info
mobilegoogle.net
mobilegoogle.org
my-deja.com
mydeja.net
my-deja.net
mydejanews.com
my-dejanews.com
mygoogle.com
my-google.com
mygoogle.net
my-google.net
mygoogle.org
my-google.org
mypicasa.com

namingsolutions.com
ngoogle.com
nncc.info
non-org.net
numgoogle.com
nwiz.biz

ogogle.com
oingo.com
orcit.com
orcut.com
orkat.com
orkut.biz
orkut.com
orkut.info
orkut.org
ozhorde.com

pageadgooglesyndication.com
philipdryan.com
picasa.com
picasa.net
picasasoftware.com
piccasa.net
porngoogle.com
pyra.com

q8planet.com

rapidrefocus.com
renquan.org
requesttimeoff.com
richardsbrain.com

seeabc.com
seedandsaplings.com
sellwood.net
sergeybrin.com
sergeybrin.net
sergeybrin.org
signacon.net
silverflute.net
simpel.org
smartprogrammer.com
smartprogrammer.net
sobacka.com
sumitbudhiraja.com
sumutpos.com
support-reverse-smileys.com
syncraconstruction.com

talageo.com
talkcentral.org
tampe.info
tapata.net
team7365.com
telageo.com
testgmacrfc.com
thecarbonneaus.net
thedinnerpartynetwork.com
timeoffrequest.com
timeoffrequests.com
timphanmem.com
tongwen.net
tongwen.org
toolbargoogle.com
triple-sss.com
tvsearch.com

urchin.com
urching.com
urchinstats.com
utlemming.org

veritablebevy.com

wapgmmgjd.com
wapgoogle.com
wappdapag.com
webservicehost.com
wherewas.com
writely.com
wwapgmmgjd.com
wwwadwordsselect.com
wwwadwords-select.com
wwwgoogle.com
wwwgooglecom.com
wwwgoogleoogle.com
wwwgooglesyndication.com
wwwpicasa.com
wwwpicassa.com
wwwpicassa.net
wwwpiccasa.com
wwwpiccasa.net
wwwpiccassa.com
wwwpiccassa.net
wwwwgoogle.com

xjpop.com
xn--yvonne-schrder-5pb.com
xn--yvonneschrder-rmb.com
xvid-x.org
xzcz.com

yourmailhost.net

zipdash.com
ziqing.net


gdrive.com
googledrive.com
google.dk
google.se
google.co.nz
google.ca
google.cn
google.com.pr
google.com.ca
google.com.ch
google.fi
google.co.in
google.co.uk
google.lv
google.co.hu
google.lk
gmale.com
google.com.au
google.ru
google.nl
adwords.nl
google.be
adwords.be
google.de
gogle.de
googel.de
google.ro
google.kz
google.by
googlelyrics.com
goog1e.com
google.no
blogger.eu
google.pl
google.com.pl
google.es
google.pt
google.com.br
google.vc
google.co.za
google.tm
google.com.my
google.bg
frooglegoogle.com
google.co.jp
google.ie
google.co.ck
google.com.mx
googleshoppinglist.com
googlereviews.com
googlewishlist.com
saturngoogle.com
earthgoogle.com
mercurygoogle.com
venusgoogle.com
marsgoogle.com
jupitergoogle.com
uranusgoogle.com
neptunegoogle.com
plutogoogle.com
googlegalactic.com
googlesolarsystem.com
google.com.om
google.fr
google.mu
google.com.ph
google.com.jm
googlemini.com.cn

From: google-a...@googlegroups.com
[mailto:google-a...@googlegroups.com] On Behalf Of Rohan Chandiramani
Sent: Tuesday, January 03, 2012 4:06 AM
To: google-a...@googlegroups.com
Subject: Re: [google-appengine] Re: OT: Doing It Wrong

A simple checklist of:

--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To view this discussion on the web visit

https://groups.google.com/d/msg/google-appengine/-/1f9Z4pd0jA8J.

Barry Hunter

unread,
Jan 3, 2012, 9:43:40 AM1/3/12
to google-a...@googlegroups.com
On Tue, Jan 3, 2012 at 1:43 PM, Brandon Wirtz <dra...@digerat.com> wrote:
Oh? And How do I know if Flickr.com is a Yahoo Propery?
Or Youtube is a Google Property?

Why is that relevent? 

When you login to youtube, you still login via accounts.google.com or www.google.com - you should only offer your Google creditentials to those urls. Doesnt matter what site you visit, if you login with Google credientials, it should be on those urls. 

If you goto google.co.uk and you go to sign in, it should be on  accounts.google.com or www.google.com - if so they it accepts your Google login. 

Francois Masurel

unread,
Jan 3, 2012, 10:05:34 AM1/3/12
to google-a...@googlegroups.com
I really think that users should be able to choose which authentication system is best for them and which one they want to use.  BrowserID might be one of them.

What do you think of Google 2-steps authentication? Looks pretty interesting to me.

Francois

Jeff Schnitzer

unread,
Jan 3, 2012, 1:25:38 PM1/3/12
to google-a...@googlegroups.com
You represent the 0.01% most sophisticated users on the internet.
Even among technorati, this kind of behavior is rare. You won't be
able to stop users from re-using the same password over and over, so
your website is effectively as secure as the *least* secure website
your users type that same password into. Handing off responsibility
for authentication to a trusted third party is a dramatic improvement
in security for 99.99% of internet users.

Jeff

Jeff Schnitzer

unread,
Jan 3, 2012, 1:45:12 PM1/3/12
to google-a...@googlegroups.com
I'm planning on writing up a blog entry on this but... my thought is
that as a typical website designer, you want:

1) A "social login" like Facebook or G+ that allows you to provide a
rich social experience by bringing social graph information to the
table. Also smooths out asking for basic info like name, age, sex,
etc.

2) A backup login for people who are unwilling to accept #1. This
could be local login, but BrowserID is far easier to implement, a far
better UX, and far more secure. When/if it gets integrated into the
browser it will be even more seamless - but the UX is already great.

Of course different kinds of websites demand different approaches; you
wouldn't use this kind of login for a banking system. But for the
typical social website, this is a good mix. And if you don't need
social features, just going with straight-up #2 is stupid-simple to
implement.

OpenID is a disaster both from an implementation perspective (PITA)
and a UX perspective. We've put years and years into polishing the UX
and it's still incredibly confusing for users, especially when they
forget how they logged in last and end up creating multiple accounts.
OpenID as a general-purpose login system isn't going to get better
(although OpenID as a protocol for specifically enabling G+ login is
probably not going away anytime soon).

Jeff

> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To view this discussion on the web visit

> https://groups.google.com/d/msg/google-appengine/-/P4NMoSRdleQJ.


>
> To post to this group, send email to google-a...@googlegroups.com.
> To unsubscribe from this group, send email to
> google-appengi...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-appengine?hl=en.

--
We are the 20%

Brandon Wirtz

unread,
Jan 3, 2012, 4:03:29 PM1/3/12
to google-a...@googlegroups.com

Because that’s not how people have chosen to implement it. 

 

For quite a while google had an accounts for each region. Now, if you try to access Open ID you only  get logins in English because they all go to accounts if you try to access from North America, but if you access from France you only get French log in pages.  Effectively breaking the user experience and the consistent URL.

Changing Arguments briefly, The Other problem is that most hacks aren’t technical, they are social. And All your eggs in one basket makes the draw of a social hack even more appealing.

 

From: google-a...@googlegroups.com [mailto:google-a...@googlegroups.com] On Behalf Of Barry Hunter
Sent: Tuesday, January 03, 2012 6:44 AM
To: google-a...@googlegroups.com
Subject: Re: [google-appengine] Re: OT: Doing It Wrong

 

 

On Tue, Jan 3, 2012 at 1:43 PM, Brandon Wirtz <dra...@digerat.com> wrote:

--

You received this message because you are subscribed to the Google Groups "Google App Engine" group.

Reply all
Reply to author
Forward
0 new messages