eBay Japan Passwords Revealed As Username+123456

mask.of.sanity (1228908) writes "eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with visual aids.

Hey

[CheezburgerBrown .]

That's the same password as my luggage!

Re:Hey

[marcansoft]

Sorry for the threadjack, but this is yet another case of horrible security reporting.

From watching the video, what it seems happened here was that eBay chose phpBB for their community forum, but did not integrate its authentication system directly with eBay's on the server side. Instead, the site was set-up as a standalone system, and whoever implemented the integration had the bright idea of hardcoding the forum password for everyone as username+123456, and then just having the eBay login page issue a hidden POST request behind the scenes to authenticate users to the community forum section.

Thus, this allows anyone to trivially impersonate anyone else on the forum. It shouldn't have anything to do with the rest of the site, though. Nor does this have anything to do with initial passwords, salts, or any of the other terms that have been thrown around.

A case of absolutely retarded login integration for the community site, but not something that would allow people to take over others' main eBay account. What this says about the people running eBay is another matter entirely...

Re:

[phantomfive]

Thankyou so much for reading the article and figuring that out so I didn't have to. :)

Re:

[ArsenneLupin]

and whoever implemented the integration had the bright idea of hardcoding the forum password for everyone as username+123456, and then just having the eBay login page issue a hidden POST request behind the scenes to authenticate users to the community forum section.

... which means that even if the salt had been something else than +123456, it wouldn't really have been more secure, as that "hidden" POST request would have been present in some web resource (html, javascript) downloaded to the end user's browser...

Re:

[blueg3]

They're not talking about a fixed value that's different from "+123456". They're talking about using a different, random value for each user. That is more secure. (There's still plenty of security problems, but it's better than every user's password being completely predictable.)

Of course, if you're bothering to store a different random value for each user, there's no reason to include their username in the password. Just store a long random password for each user. (That's still not great security -- never

Re:

[Adriax]

Prepare eBay One for immediate departure.
And change the combination on my luggage!

Obligatory

[hey!]

....That's amazing! I've got the same combination on my luggage!

Re:

[ArcadeMan]

I wish I had mod points because unlike CheezburgerBrown above, you made a direct quote from the movie.

Re:

[lucm]

I wish I could take back that google search I just did and live in the blissful oblivion of not knowing from what movie that quote came from. Now I'm tainted.

Re:Obligatory

[ArcadeMan]

You just gave me an idea.

Alright everyone, LISTEN UP!

If a user tries to use "12345" for his password, return an error message exactly as follows:
"1,2,3,4,5? ....That's amazing! I've got the same combination on my luggage!"

Now go and implement this on your systems, whatever they may be. I don't care if your code systems for banks, the NSA or whatever. It shall be known as "Spaceballs: The Error Message".

Re: Obligatory

[TheDarkMaster]

Dude, is a really good idea :-D

Re:

[Anonymous Coward]

Introducing easter eggs is enough to get fired, if your employer takes quality seriously.

Introducing an idea to add proper entropy calculation of all passwords can help you get a raise. Of course, if you implement it by "if char.isUpper(): entropy += 5" then you should also be fired...

Re:Obligatory

[0racle]

Then code a quality easter egg with full test cases and stellar documentation.

Re:

[antdude]

I would do that if I knew how to code. :P

Re:

[Anonymous Coward]

I'm totally going to see if I can do this. I'm the guy who would implement this kind of thing where I work. It's supposed to be a highly-secure system, and management and our customers might not actually mind in our case.

I'm sorry, what?

[Anonymous Coward]

Do you not get to change your eBay password... in Japan?

captcha: nipple. OK, that was worth it.

Spaceballs: The Comment!

[broginator]

I too have seen Spaceballs.

Spaceballs: The Reply

[ArcadeMan]

I love the title of your post, but I'm out of mod points.

Spaceballs: The Flamewar

[GoodNewsJimDotCom]

Which would you want to see more: The sequel to History of the World part 2, or Spaceballs: Episode Zero?

Spaceballs: A New Reply

[ArcadeMan]

Spaceballs 2: The Search for More Money.

Re:

[Anonymous Coward]

Ah, so you're the one...modding down all the comments.

Why was the initial password still being used?

[Todd Knarr]

If the password was set by the system, either during a password reset or initial account creation, the first thing I do is change the password to a random one my password manager program's generated. Why were these accounts still using the system-created password? Also, the article seems to conflate two uses of the term "salt": the random nonce used to insure the stored hash value isn't the same for two different accounts that picked the same password, and the random string used in the plaintext of the initial password to avoid a trivially-guessable "password same as username"-type case. The two aren't at all the same.

looks like both. password = crypt(username+salt)

[raymorris]

My interpretation is that they used a) as b), which should be fine if the salt was actually salty. I think they did:

  default_password = crypt(username+salt)

That would be fine if they used real salt (random), but instead they used Mrs. Dash salt substitute.

Oblig.

[Anonymous Coward]

XKCD [xkcd.com]
How do you know it's not random? [dilbert.com]

Re:

[Solandri]

It's actually not a problem if you force users to change their password upon their first login. It's stupid, but it's not a problem. The worst that can happen is that someone can hijack an account/username that's never been used before.

true, but force change causes a problem

[raymorris]

That's true. Forcing users to change the password upon first login does create one problem though. Some users are accustomed to referring back to the initial email or their notes to find the password. Those users keep trying to use the default password after the first time. The system I'm responsible for is set up that way and the help desk LOVES getting all of those calls.

I should see about changing that. It was set that way when I started this job.

wait a minute...

[slashmydots]

Wait so in the US most passwords (and server names and PC names and switch names and domain names) are Anime characters or related to Animes and in Japan they chose 123456? What the hell?

Re:

[lgw]

In Japan they don't obsess so much over children's cartoons? Who knew! I'll have you know the last time I ran a lab everything was named after American kids cartoons - America, fuck yeah!

Re:

[crgrace]

When I was an undergrad our Unix labs had every computer named after a cartoon character. All Hanna-Barbara characters too. I liked to use dino because it was fewer characters to type.

Re:

[PopeRatzo]

That's nothing. I'm so old that when I was in college all our servers were named after Greek gods.

And our desktops were clay tablets.

Re:

[poetmatt]

Zeus has 99.97% uptime in our environment.

Re:

[davydagger]

threee nines, fucking ametures.

five nines is the fucking standard.

Re:

[Anonymous Coward]

threee misteaks in you're reply.

Re:

[almitydave]

And our desktops were clay tablets.

We're swerving pretty far off-topic here, but has anyone made a clay tablet computer? Seriously even a clay tablet case with cuneiform writing on it would be neat. I can't find anything on teh googles.

Re:

[Redmancometh]

All our stacks in college were named after Simpson characters

Re:

[lgw]

Anime is just TV in Japan, generally targeted at teenagers. Most manga is similar. Many US printed comics have moved their target audience from ~10 to ~15 in recent decades (much thanks to Frank Miller and Neil Gaiman and Alan Moore for elevating the tone), but American cartoons are just starting to make the jump from younger kids to teens. But none of the mainstream stuff is really targeted at adults.

(As an aside, Superman in particular has really struggled with this, with sometimes inspired results. I

Re:

[AmiMoJo]

In Japan anime isn't just for kids. I'm not talking about porn either, there are shows for all ages and generas. Manga is even more diverse. There are huge monthly manga books with 500+ pages just containing stories about people playing mahjong or go.

Re:

[slashmydots]

Almost all anime is designed for adults, you clueless troll.

Re:

[Nidi62]

Wait so in the US most passwords (and server names and PC names and switch names and domain names) are Anime characters or related to Animes and in Japan they chose 123456? What the hell?

Maybe ebay knew that Japanese people love to travel, so this would be easy for them to remember because it's probably the same combination as their luggage?

Re:

[Anonymous Coward]

Thanks, because that was the part of the GPs comment that made no fucking sense

I'm rich!

[roc97007]

I just sold my 1971 Pinto to Hiroto Takahashi for 25,532,500 yen! Plus shipping!

Re:

[Anonymous Coward]

I just sold my 1971 Pinto to Hiroto Takahashi for 25,532,500 yen! Plus shipping!

You know, a quarter million USD doesn't go very far these days. Don't quit your day job.

Not salt

[blueg3]

It looks from the video that the password is simply the username concatenated with a global string, "123456".

That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.

So all these discussions of salt are not at all relevant.

This is fundamentally a case of hard-coded credentials [mitre.org], which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)

Re:Not salt

[jxander]

We'll call this "just a pinch of salt"

Re:

[hawguy]

It looks from the video that the password is simply the username concatenated with a global string, "123456".

That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.

So all these discussions of salt are not at all relevant.

This is fundamentally a case of hard-coded credentials [mitre.org], which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)

I was wondering about that too -- from the description it didn't sound like a salt, I thought the summary was inaccurate (nearly unheard of on Slashdot!), but TFA said the same thing.

Sounds like someone knew enough about cryptography to be dangerous and though that any random (or not) string added to the plaintext password is a salt.

Random?

[Anonymous Coward]

How do they know that 123456 wasn't generated at Random? It has the same probability of occurring as any other 6 digit random number...

Re:

[Lehk228]

rand(){ return 4;} // genuine random number chosen by dice roll

Re:

[hcs_$reboot]

not in PHP (Windows) [random.org]

Same for all Four Users?

[fullback]

I've lived in Japan for over 20 years and I, like probably most people in Japan, didn't know it even existed.

Almost-best practices

[tepples]

From the crackstation.net article:

For the same reason, the username shouldn't be used as a salt. Usernames may be unique to a single service, but they are predictable and often reused for accounts on other services. An attacker can build lookup tables for common usernames and use them to crack username-salted hashes.
[...]
The next step is to add a secret key to the hash so that only someone who knows the key can use the hash to validate a password.

One site I've worked on uses the user ID, username, join d

Re:

[Lehk228]

>2014
>still making the public display name and login name the same

Re:

[tepples]

Matters not. You can test for validity of a public display name by trying to send a private message, and you can test for validity of a login name by attempting to register it.

Re:

[Lehk228]

one to one you can, but if you try that on a scale of thousands it will be clearly a hacking attempt

Re:

[blueg3]

One site I've worked on uses the user ID, username, join date/time, and a secret per-site string as the salt for the password. User IDs are sequential and can be sort of guessed from the join date, but I'm under the impression that there's enough entropy in the minutes and seconds of the join date/time, and the secret per-site string keeps the lookup table from applying to more than one site.

The function of salt is to make password cracking efforts more difficult when the attacker has access to the site's password database. So, predictability is not as important, since all the listed information is available to the attacker anyway. (Similarly, the salts are available to the attacker.) That doesn't look like much entropy, though. Really, storing an extra column of random, per-user salts in a database is not particularly hard and has tangible (though not magical) benefits.

The bad guys can already do that by trying to register an account with that username or by trying to send a private message to that username.

Yeah. IMO, usernames sho

crappy reporting, crappy editing

[Anonymous Coward]

Uh, that's not a salt, it's a crappy password. A salt's purpose is to make hash(salt, value) result in something different than hash(salt2, samevalue). This protects against attacks against disclosed password databases. Also, for a salt, the user never types it in. The salt is stored near the password hash, is randomly generated by the application, and is never seen by the user.

On the other hand, this is a default (or possibly hard coded) password. In this case, the user types in their username concatenat