![[dr. bob]](/dr-bob-sm.gif)
Dr. Bob is Robert Hsiung, MD,
bob@dr-bob.orgShown: posts 1 to 16 of 16. This is the beginning of the thread.
Posted by stjames on August 16, 2003, at 13:04:56
If you allow cookies to keep your password for this site, your password is stored with encrytpion that is simple to break with dictionary or brute force methods with the utility "John". Esp. quick with decades old MD5, used here. Another cookie seems to be gathering how log/where you go on this site. Despite the fact the web server logs already contain this info. The server logs already know
OS, browser type, referer, and time spent on page
can be computed.Download John and see how quickly you can crack your password:
http://www.openwall.com/john/
Posted by NikkiT2 on August 16, 2003, at 16:13:10
In reply to Posting in public places and cookies, posted by stjames on August 16, 2003, at 13:04:56
I can't even get John the ripper to work.. heavens knows what I'm doing wrong!!
nikki
Posted by NikkiT2 on August 16, 2003, at 16:20:31
In reply to Posting in public places and cookies, posted by stjames on August 16, 2003, at 13:04:56
It downloads a zipped up file, I extract it and it gives me two folders full of files, but non of them is an exe
Any ideas??
nikki
Posted by stjames on August 16, 2003, at 22:26:40
In reply to Re: Posting in public places and cookies » stjames, posted by NikkiT2 on August 16, 2003, at 16:20:31
Unix or win ? John runs best on Linux.
Posted by NikkiT2 on August 17, 2003, at 7:38:57
In reply to Re: Posting in public places and cookies, posted by stjames on August 16, 2003, at 22:26:40
Ah.. its Win.. didn;t think it was worth putting linux on this machine as its basically just a surfing and playing around machine...
I did want to play with John though ;)
Nikki x
Posted by stjames on August 17, 2003, at 10:48:55
In reply to Re: Posting in public places and cookies » stjames, posted by NikkiT2 on August 17, 2003, at 7:38:57
I downloaded the win version and in the dir \run
I saw john.exe. Did not check the DOS version. >I love John. It is written by a well know legit security admin. One of my first tasks at work was to
crack the first ~5,000 users passwords from our ~20,000 user password file, so our billing system
could suspend then for non-payment and then resore the original passwd if they paid. I ran into some issues with John and BSDi; DOS was too slow. I worked up my courage and e-mailed the person who wrote John and discovered he was really nice (coders sometimes are not very helpful)Thi storing of passwds as cookies is used everywhere and is a real bad idea. i was posting from an ex-friends house who was a wanntabe hacker. He remarked that I was leaving my passwd on his box as a cookie. He did try to post as me, what I pulled out of his web cache was quite nasty; a personal attack on me, the posters, and
Dr Bob. However I had laready changed my passwd.He was picked up last week as he broke probation
& was on a lam (I did not know this) and will be in the big house
for quite some time. In a wonderful twist of fate,
his panicked roommate asked me to take over his share in the house. So now I no longer have a 1.5 hour commute to work (each way) and my rent is less !!! The last 2.5 years have been very hard, as i am on the road 3 hours so i felt like I was working 12 hrs a day. With this expence i was trapped as I could not save first and last to move. The lack of sleep and stress has been slowly increasing my depression a little every day & I have had several minor breakdowns & was headed for a major one. Whew!
Posted by NikkiT2 on August 17, 2003, at 13:13:22
In reply to Re: Posting in public places and cookies, posted by stjames on August 17, 2003, at 10:48:55
Sounds like his little tricks have actuallyu be very worthwhile for you!!! taught you something about cookies (and thus the rest of us!!) and also got you a new place to live!! Woo hoo!!
I have XP (and only got it 2 days ago from having used NT for 5 years, so I'm a little lost and hating it!!).. I get two folders extracted from JOhn.. "Doc" and "run" Doc contains a number of files that have no extension, and run also has aload of files, but with extensions..
all.chr cygwin1.dll john lanman.chr unafs unshadow alpha.chr digits.chr john (configuration settings) john-mmx password.lst unique
Any ideas??
Sorry to be a dim pain
Nikki
Posted by shar on August 17, 2003, at 13:14:05
In reply to Re: Posting in public places and cookies, posted by stjames on August 17, 2003, at 10:48:55
James,
I must say that sometimes life comes through with a really good one, and I love reading about those things! Congrats on losing your commute time (jeeze....that's incredible--1.5 hrs each way!!). Makes me think I ought to whine a bit less when I interview for a job that'll just take an hour each way.Enjoy your found time!
BTW I'm just a geek wannabe, and when I went to see the John program I was totally overwhelmed, so I guess it's not for the squeamish (or the newbies).....
Shar
Posted by stjames on August 17, 2003, at 18:59:54
In reply to Re: Posting in public places and cookies » stjames, posted by NikkiT2 on August 17, 2003, at 13:13:22
You have it set to hide common extentions. Left click on the one that says "john" and see if the full path is to john.exe
Posted by stjames on August 17, 2003, at 19:05:57
In reply to Re: Posting in public places and cookies » stjames, posted by shar on August 17, 2003, at 13:14:05
> James,
> I must say that sometimes life comes through with a really good one, and I love reading about those things! Congrats on losing your commute time (jeeze....that's incredible--1.5 hrs each way!!). Makes me think I ought to whine a bit less when I interview for a job that'll just take an hour each way.
>
> Enjoy your found time!I'm moving this to 2000
>
> BTW I'm just a geek wannabe, and when I went to see the John program I was totally overwhelmed, so I guess it's not for the squeamish (or the newbies).....
> Shar
Posted by Dr. Bob on August 18, 2003, at 5:00:30
In reply to Re: Posting in public places and cookies, posted by stjames on August 17, 2003, at 10:48:55
> Thi storing of passwds as cookies is used everywhere and is a real bad idea.
Well, at least it's encrypted to some extent? You don't have to keep your cookies turned on, you know. Not to use this site, anyway...
Bob
Posted by stjames on August 18, 2003, at 19:46:52
In reply to Re: Posting in public places and cookies, posted by Dr. Bob on August 18, 2003, at 5:00:30
> > Thi storing of passwds as cookies is used everywhere and is a real bad idea.
>
> Well, at least it's encrypted to some extent?It would not fly by HIPPA, is weak and simple to break. Double pass encryption would be better.
Take the clear text passwd, crypt it, then use the
cypher text (encrypted passwd) as the key to encrypt itself. For now, this beats brute force
methods. Try not to use the oldest encryption methods, like md5, DES, & 3DES. It is getting possible to actually break these without brute force. Blowfish is my choice for encryption. Perl
has modules for Blowfish. So, no it is in no way OK. Is putting the house key under the front door mat OK for you ? Would you do this ?You don't have to keep your cookies turned on, you know. Not to use this site, anyway...
>
> BobYou know or should know that a) few users here do understand all this b) few know when a cookie is set c) or even know how to contol this d) or that users have a clue how to control if cookies are used.
It is also very hard to surf and have pages function well without cookies, so most are forced to allow them.
I suggest a check box, "remember my password",
with a short discussion of the dangers of this.
"Checking this box means your password will be stored on your computer, encrypted, as a cookie.
If others have access to your computer it is possible to get your real password for this cookie. Consider not saving your password if you post from a copmuter that is not your own" (or some such wording
Posted by noa on August 19, 2003, at 5:15:05
In reply to Re: Posting in public places and cookies, posted by stjames on August 18, 2003, at 19:46:52
I used to post from the public library a lot. I inquired here about how to erase cookies, and was referred to the "erase cookies" function on this site. My password I never saved on the public computers, but I also just wanted to be more sure, so I would always erase cookies anyway after each visit. In any event, I believe the librarians cleared all temp files caches at the end of the day anyway.
Posted by Dinah on August 19, 2003, at 5:39:34
In reply to Re: Posting in public places and cookies, posted by noa on August 19, 2003, at 5:15:05
Posted by Dr. Bob on August 19, 2003, at 19:29:47
In reply to Re: Posting in public places and cookies, posted by stjames on August 18, 2003, at 19:46:52
> Double pass encryption would be better.
> Take the clear text passwd, crypt it, then use the
> cypher text (encrypted passwd) as the key to encrypt itself.> I suggest a check box, "remember my password",
> with a short discussion of the dangers of this.
> "Checking this box means your password will be stored on your computer, encrypted, as a cookie.
> If others have access to your computer it is possible to get your real password for this cookie. Consider not saving your password if you post from a copmuter that is not your own" (or some such wordingThose are good suggestions, thanks!
Bob
Posted by noa on August 23, 2003, at 18:47:06
In reply to Re: Pssst. Hi Noa. :) (nm) » noa, posted by Dinah on August 19, 2003, at 5:39:34
Psst. Hi back. I'm back, tho not sure for how long. It's been heated here, I see.
This is the end of the thread.
Psycho-Babble Administration | Extras | FAQ
Dr. Bob is Robert Hsiung, MD,
bob@dr-bob.org
Script revised: February 4, 2008
URL: http://www.dr-bob.org/cgi-bin/pb/mget.pl
Copyright 2006-17 Robert Hsiung.
Owned and operated by Dr. Bob LLC and not the University of Chicago.