22.53.43 - Mark

As I may or may not have posted in the past, I'm the coder of the working and intellegent sections of www.mtairynews.com

Let me stress working and intellegent.

Their tech monkey shouldn't be allowed within 500 meters of an internet connection. I know that a New York cort ruled that creul and unusual punishment but he shouldn't. For one, when I was trying to help them get my pages online I had to give him a crash course on directories and linking. If he's looked at HTML code in his life I'd be shocked. If he comprehends it - I'm the King of Elbonia OK, maybe its not that bad (but its close)

Once my pages were up and running I let it be and forgot about it until I needed to access the no longer free epaper that spurred on development of the new site. Anywhoo I looked up my password and user name and discovered something weird. My zip code is the password OK fine. My UN is an unsecure 7 digit number. No letters, nothing customizable, just 7 digits. OK not great but 7 digits is a common way to stick to someones attention span (if you didn't know that look at a phone number, minus stuff like 1-800 or area code its a nice 7 digits but 10 also sticks well)

I let this slip until today when I ran across two more of the UN/PW combos at school. Supprise more 7digit number UNs and the same password.

Correct me if I'm wrong but IMHO it sure as hell isn't a good idea to fork over the same password to every user of a commercial site. Expecially with an easily guessable user #

Proof I ran a simple brute force attack starting with the ever common nada and working up by ones. By the time I hit 0000019 I stopped since I have more UNs and Passwords (aprox 50% were VALID UNs and passwords) than I should ever need ever.


Link | 0 Comments |

Feedback for Morons.

No Comments (Yet)

Leave Feedback on Morons.

Site:    http://