The web site password authentication process is chock full of security flaws. And wherever there are security flaws, there are scads of both real and wannabe hackers trying to exploit them.
Welcome to Bucaro TecHelp!

Welcome to Bucaro TecHelp!
Maintain Your Computer and Use it More Effectively
to Design a Web Site and Make Money on the Web

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact Advertise on Bucaro TecHelp Advertise Here RSS News Feeds News Feeds

HTML5 Solutions: Essential Techniques for HTML5 Developers

Essential Techniques for HTML5 Developers

HTML5 brings the biggest changes to HTML in years. Web designers now have new techniques, from displaying video and audio natively in HTML, to creating realtime graphics on a web page without a plugin.

This book provides a collection of solutions to all of the most common HTML5 problems. Every solution contains sample code that is production-ready and can be applied to any project.

Click Here

Excuse Me, May I Borrow Your Passwords?

By Mike Delaney

Some time ago, I was one of the most prolific contributors to one of the most popular newsgroups on usenet. The newsgroup's purpose was to provide fraudulently-obtained, but valid, passwords for websites.

The process there is fairly straightforward: someone posts the web site address of a site that they want (free and illegal) access to. Several group members with colorful nicknames then "run" the site. If a valid username/password is found, it is emailed to the requestor, who in turn publicly heaps praise on the grantor, thus inflating his or her ego. My colorful nickname was "PassBandit", and I have a few tips for you.

The web site password authentication process is chock full of security flaws. And wherever there are security flaws, there are scads of both real- and wannabe-hackers trying to exploit them.

One of those flaws is the ability of a user to enter an infinite combination of usernames and passwords without ever being locked out by the web site. As it was relevant to "PassBandit", this flaw allowed him to run a software application that automatically tries usernames and passwords, from a supplied list, then reads whether the combination was successful by the electronic reply received from the web site. The program simultaneously tried 70 different combinations, which gave a rate of attempts in the several-hundred-per-second range. If a particular combination didn't work, the application simply tried another combination. And another. And another, until it found a combination that worked.

Of course, there are some sites - not very many - that I couldn't get into. And, some sites were harder than others. However, every site that I did get into had one thing in common: at least one user that made a stupid (make that "ill-informed") choice of a username and password.

Once a username and password have been compromised, and when (not if) it is eventually discovered, most sites will instantly close the account. This eliminates the fraudulent use of that password, but also screws the poor fool who actually paid for access to the site.

Here are some tips to ensure that your account is not the weak account that the other "PassBandit"s of the world compromise:

-  The password is more important than the username. Do not assume that because you have an unusual username (including email addresses) that you can choose a simple password. I'd say that at about 2-3% of the webservers I checked, I could obtain that site's entire list of users and their passwords. The passwords are encrypted, but the usernames are not. So, if you chose an easy password, such as "password" or "asdf", I'd have your username/password combination in amazingly short order.

-  Make your reminder question tough and unique. If the site offers a "secret question" -type access to your password (in case you lose it), make it something unique, such as "What is my nickname at work?". Believe it or not, a person actually had "QuestionQuestion" as his reminder question. Guess what the correct reply to his reminder question is? If you guessed "AnswerAnswer", congratulations -- the web site will now hand over the poor schmuck's password. True story!
Menu - More
General Web Design

RSS Feed RSS Feed



Web Design Sections

Website Design and Development

Website Design and Development

100 Questions to Ask
Before Building a Website

How do you know that you've done everything possible to create a unique, enriching, and successful Web site, particularly when you're hiring others to do it? With Website Design and Development, you'll feel confident that you’ve exhausted every facet of building a Web site.

The clever question-and-answer format walks you through easily overlooked details, acting as a virtual consultant. You’ll get clear, easy-to-follow advice on everything from finding a host, design and layout, creating content, marketing, to staying secure.

Each question features a rating as to how critical it is to the welfare of the site, allowing you to pick and choose where to spend your time and money, and the answers contain helpful illustrations as well as action points.

• Features an accompanying video that offers additional examples, commentary, and advice for each question.

Click here for more information.


[Site User Agreement] [Advertise on This site] [Search This Site] [Contact Form]
Copyright©2001-2011 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268