Forgot your password?
typodupeerror
Security

Leaked Passwords On Display At a German Museum 42

Posted by timothy
from the where's-your-scanner dept.
Daniel_Stuckey writes "Earlier this year, it was London. Most recently, it was a university in Germany. Wherever it is, [artist Aram] Bartholl is opening up his eight white, plainly printed binders full of the 4.7 million user passwords that were pilfered from the social network and made public by a hacker last year. He brings the books to his exhibits, called 'Forgot Your Password,' where you're free to see if he's got your data—and whether anyone else who wanders through is entirely capable of logging onto your account and making Connections with unsavory people. In fact, Bartholl insists: "These eight volumes contain 4.7 million LinkedIn clear text user passwords printed in alphabetical order," the description of his project reads. "Visitors are invited to look up their own password.""
This discussion has been archived. No new comments can be posted.

Leaked Passwords On Display At a German Museum

Comments Filter:
  • meanwhile (Score:5, Funny)

    by marcello_dl (667940) on Saturday December 14, 2013 @01:35PM (#45689779) Homepage Journal

    I'd set up some cams to see what the visitors point at (getting the password or a narrow alphabetical space to bruteforce), and try to sniff their smartphone (fake open AP) so i get what the user could be. That will teach those suckers to look up their pass in public

  • by sandbagger (654585) on Saturday December 14, 2013 @02:14PM (#45689969)

    I recently applied for a job on a web site. In addition to the usual infuriations (thanks for uploading your resume, please spend the next 45 minutes copying and pasting individual paragraphs into our form. Oh, and we don't support ASCII so good luck with those bullets) the password was constrained to A-Z and numbers only and under 10 characters.

    I usually use a random string from something from a strong password generator script. Why any programmer with more than two brain cells to rub together would want a weak password is beyond mysterious to me. Probably some ding-dong in marketing demanded it.

    • by Anonymous Coward on Saturday December 14, 2013 @02:30PM (#45690057)

      Oh, and we don't support ASCII so good luck with those bullets

      An EBCDIC website?

      • Re: (Score:3, Informative)

        by S.O.B. (136083)

        An EBCDIC website?

        Awesome EBCDIC reference.

        The true nerds will know what it is...the fanboi, pseudo nerds (the majority of Slashdot now it seems) will Google it and say they knew all along.

      • OP here:

        It'd not be a problem except that they don't tell you until after you submit the text, and then go back to check. I mean, it's nearly 2014, you'd think some basic support for formatting would be on most web sites. Actually, scratch that. Extensive support for text formatting when you're asking Joe/Jane consumer to paste in a resume should be ready.

        Why?

        People will more often than not be pasting from a Word file. Yes, most of that formatting can be ignored because Word tends to fill formatting with no

    • Why any programmer with more than two brain cells to rub together would want a weak password is beyond mysterious to me. Probably some ding-dong in marketing demanded it.

      Because they're storing the password in plain text in the database and disk space was expensive in 1986.

      This might not be the programmer's fault. It might be that the requirements were written in 1986 and whoever wrote them didn't understand the concept of password reset or hadn't heard of cryptographic hash functions.

    • by AnttiV (1805624) on Saturday December 14, 2013 @02:52PM (#45690211)

      Amen to that. The funny (or sad) thing is, this is too common, even in this age. One of the largest ISPs/Carrier Networks here in Finland has a hilariously stupid password rule set. Note: As much as I'd like it to be, this is not a joke.

      1) 8-16 characters.
      2) a-z, A-Z, 0-9 ONLY (Note: Although this is a Nordic country, this still excludes our normal day-to-day use letters ä, ö and å.
      3) No three same characters in the entire password. NOT sequential or one after the other. In the *whole* password. (So "2rv8b23r09vnbn2" would not do, because "2" is there three times).

      4) NO rule for sequential numbers/characters.

      What this all comes to, is that the system gladly accepts "12345678" and "abcdefg" as perfectly viable and good passwords, but doesn't allow "j243508vubj234gj", "#a&%B3bv#sdf#" or "correct horse battery staple" to be used.

    • It's also a huge red flag considering you're only supposed to store hashes of some variety, never the password itself. If how long the password is doesn't affect the length of what you store in the database at all, what is the point of limiting it, right?

    • Why any programmer with more than two brain cells to rub together would want a weak password is beyond mysterious to me. Probably some ding-dong in marketing demanded it.

      While it's not quite at the same level... even now, some of Microsoft's web logins restrict the password to 16 characters.

      A couple months ago, when I was setting up an account for one of their services (Lync? Live.com? Microsoftstore.com? I don't remember) to do some testing for work - I generated one of my typical somewhere-between-16-and-24-character passwords, but it was rejected because it "needs to be 16 characters or less".

    • Oh, and we don't support ASCII so good luck with those bullets

      Sorry, I can't find the bullet in ASCII.

  • Some German law office needs to send him an Abmahnung for using my copyrighted (life + 70 years) password!

    Because he needs to understand copyright as an IP deserves better protection than other kinds of property.

  • by jasonbrown (142035) on Saturday December 14, 2013 @02:25PM (#45690029) Homepage
    I can't remember why I needed them in the first place anyways.
  • Because Linkedin didn't force a password reset for all those accounts already?

  • by jeauxkewl (1465425) on Saturday December 14, 2013 @03:10PM (#45690297)
    It's the same as all my others. *************
  • Who cares.
  • He forgot to include the parts of the installation where a series of cameras and mics watch your eye movement, page number, and breathing to compile a short list of password roots from which to compromise your other accounts.
  • Could you take just a little more care with your copy-paste submissions? This is twice in two days that you've copied the second and third paragraphs of a story, thus robbing the initial sentences of their context. Example:

    Earlier this year, it was London. Most recently, it was a university in Germany. Wherever it is, [artist Aram] Bartholl is opening up his eight white, plainly printed binders full of the 4.7 million user passwords that were pilfered from the social network and made public by a hacker last year.

    Which social network?

    Yes, it's specified further down in the submission, but more by luck than judgement, I suspect.

    Makes one wonder if you're actually a sentient being.

  • by russotto (537200) on Sunday December 15, 2013 @01:22AM (#45693071) Journal

    ...conceptual art.

Saliva causes cancer, but only if swallowed in small amounts over a long period of time. -- George Carlin

Working...