Naked Password
The whole idea of naked password is a jQuery Plugin to encourage your users to enter stronger passwords. Pixelated model Sally tastefully removes items of clothing as the password grows stronger.
Readers of Gizmodo, Lifehacker and other Gawker Media sites may be among the savviest on the Web, but the most common password for logging into those sites is embarrassingly easy to guess: “123456.” So is the runner-up: “password.”
On Sunday night, hackers posted online a trove of data from Gawker Media’s servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords.
At least two popular passwords are science-fiction references: “trustno1″ was Special Agent Mulder’s password on “The X-Files,” and “thx1138″ is a George Lucas film that envisioned a dystopian future. Other popular passwords are just plain-old geeky: “dragon,” “superman,” “princess,” “starwars” and “nintendo.”
Outputted into a 500MB torrent file, currently residing on the popular torrent tracker ThePirateBay is a database dump of about a million or so commenters and staff passwords.
Inside the torrent file lies a file entitled Readme.txt. This file is potentially the most sensitive of them all, for it holds the usernames and passwords used by the entire Gawker staff, focusing particularly on Gawker’s founder Nick Denton.
The usernames and passwords to Denton’s Google Apps, Twitter, Campfire accounts are all listed; Denton uses the same password for them all.
Also some gaming sites ftp passwords were stolen too..
Though all of the passwords were encrypted,simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.
Well we finally had enough time away from the lab to get around to the Kontest for the free Kon Boot license. The contest will be to write an article for our site on a password tool of your choice, it has to be a tool we haven’t covered already (but not an obscure tool that is only useful to a handful of people and no Nirsoft tools :p ). It can be a recovery tool, cracker, exploit etc… it doesnt have to be a long article, just as long as your covering the basics of how to use the tool and maybe some examples. The contest will end next Monday so get those articles in to . 10 lucky winners will receive the licenses shortly afterwards
A hacker named Kirllos seems to have sold close to 700,000 accounts, and has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices. Kirllos’ Facebook prices are extremely cheap compared to what others are charging. In its most recent Internet Security Threat Report, Symantec found that e-mail usernames and passwords typically went for between $1 to $20 per account — Kirllos wants as little as $0.025 per Facebook account.
If you look at the source code — on the sign up page — and do a simple search for ‘twttr.BANNED_PASSWORDS’ you can find all 370 passwords that you can’t use. Hit more to see the passwords.
(more…)
Seems like Myspace addon on site rockyou.com fell victim to sql injection flaw and exposed more than 32 millions of passwords in plaintext.
http://igigi.baywords.com/rockyou-com-exposed-more-than-32-millions-of-passwords-in-plaintext/
A backdoor vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device’s administrative menu over the web, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue.
David Chen, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s config file.
That file, it turned out, included the administrative login and password in cleartext. Chen investigated and found the same login and password could access the admin panels for every router in the SMC8014 series on Time Warner’s network , given that the routers also expose their web interfaces to the internet.
Src: chenosaurus.com
A new study, which is being published in the Proceedings of the Human Factors and Ergonomics Society, details just how long we’ve been aware of the password problem. It cites a study of Unix passwords from 1979, which showed that about 30 percent of the passwords were four characters or less, and about 15 percent being words that appear in the dictionary. Fast forward to 2006, when a separate survey of 34,000 MySpace passwords revealed that the most common were “password1”, “abc123”, “myspace1”, and “password”.
src: arstechnica.com
A new post appeared on the WordPress discussion list today revealing more details about the process. Everyone is apparently able to reset a WordPress password if the email address of the WordPress user is known. All that needs to be done is to point the web browser at http://www.domain.com/wp-login.php?action=lostpassword to reset the password. The email address of the account holder has to be supplied in the form. WordPress usually will send a confirmation email first asking the email account owner if the password should be reset. The vulnerability manipulates the query to skip this step.
It is not possible to exploit this vulnerability further which means attackers cannot get access to the user account. It can however be theoretically be used to reset the password regularly to lock the user or admin out of the WordPress blog.
A temporary fix for the remote admin password reset vulnerability was posted. WordPress administrators need to change one line of code in the wp-login.php file of the WordPress installation to protect their blog from the attack. There is no official release fixing this problem, apply this changeset to your wp-login.php
.
change line 190 in wp-login.php to
if ( empty( $key ) )
With
if ( empty( $key ) || is_array( $key ) )
It is advised to apply the temporary fix as soon as possible to WordPress installations.