Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×
Japan Security

eBay Japan Passwords Revealed As Username+123456 80

mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with visual aids.
This discussion has been archived. No new comments can be posted.

eBay Japan Passwords Revealed As Username+123456

Comments Filter:
  • by raymorris (2726007) on Thursday March 27, 2014 @04:04PM (#46595689) Journal

    My interpretation is that they used a) as b), which should be fine if the salt was actually salty. I think they did:

      default_password = crypt(username+salt)

    That would be fine if they used real salt (random), but instead they used Mrs. Dash salt substitute.

  • Not salt (Score:5, Informative)

    by blueg3 (192743) on Thursday March 27, 2014 @04:20PM (#46595857)

    It looks from the video that the password is simply the username concatenated with a global string, "123456".

    That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.

    So all these discussions of salt are not at all relevant.

    This is fundamentally a case of hard-coded credentials [mitre.org], which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)

Related Links Top of the: day, week, month.

The goal of science is to build better mousetraps. The goal of nature is to build better mice.

Working...