Jump to content

Search the Community

Showing results for tags 'passwords'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 11 results

  1. Salut, Zilele trecute am fost făcută un progrămel simplu de HTTP Brute Force pentru a exersa un pic de Python. Noa, și mi-o venit întrebarea dacă există anumite șabloane în structura parolelor. Așa că am făcut un script cu care am adunat câteva date dintr-un fișier cu vreo 16 milioane de parole. Nu e nu știu ce, dar poate cineva îl găsește interesant așa că fac un rezumat. Am împărțit parolele în 4 grupuri în funcție de lungimea lor: -> 1-3 caractere (1467 parole) -> 4-7 caractere (2.686.364 - 16%) -> 8-14 caractere (13.346.633 - 80%) -> mai mult de 14 caractere (694.281 - 4%) ...și am adunat date pentru fiecare grup în parte. (în afară de primul la care am renunțat :D) Ex: parolele cu 8-14 caractere: The number of occurences of each char: |:598 }:803 {:889 >:2040 ":3011 ... i:5167431 2:5182306 0:5765269 e:6620189 1:6769976 a:8104920 The character in which a password ends: {:86 |:145 <:386 }:477 space:525 [:539 ... 0:743899 2:841664 3:922604 1:1236292 Cuvinte care apar în mod repetat: admin:4162 real:6131 bitch:10238 fuck:14779 sex:42718 girl:44838 boy:46580 love:170902 Numărul parolelor care sunt create exclusiv din vocale (aAeE..) este de 245. Numărul parolelor care sunt create exclusiv din consoane este de 27832. The number of passwords that contain: -> uppercase characters: 1238139 -> numbers: 9437095 -> special characters: 810409 -> spaces: 56626 The number of repeating consecutive characters: -> three repetitions (ex. asdFFFk): 366626 -> four repetitions (ex. 7777d): 46684 -> five repetitions (ex. kkkkklsidn): 9425 -> more than five repetitions: 12051 Am pus fișierul un pic mai detaliat la https://github.com/lucadln/http-brute-force/tree/master/Password statistics. Tot acolo am pus și scriptul de python pe care l-am folosit și un zip cu lista de parole.
  2. Keychains raided, sandboxes busted, passwords p0wned, but Apple silent for six months Six university researchers have revealed deadly zero-day flaws in Apple's iOS and OS X, claiming it is possible to crack Apple's password-storing keychain, break app sandboxes, and bypass its App Store security checks. Attackers can exploit these bugs to steal passwords from installed apps, including the native email client, without being detected. The team was able to upload malware to Apple's app stores, and passed the vetting processes without triggering any alarms. That malware, when installed on a victim's Mac, raided the keychain to steal passwords for services including iCloud and the Mail app, and all those stored within Google Chrome. Lead researcher Luyi Xing told El Reg he and his team complied with Apple's request to withhold publication of the research for six months, but had not heard back as of the time of writing. They say the holes are still present in Apple's software, meaning their work will likely be consumed by miscreants looking to weaponize the work. Apple was not available for immediate comment. The Indiana University boffins Xing; Xiaolong Bai; XiaoFeng Wang; and Kai Chen joined Tongxin Li, of Peking University, and Xiaojing Liao, of Georgia Institute of Technology, to develop the research, which is detailed in a paper titled Unauthorized Cross-App Resource Access on Mac OS X and iOS. "Recently we discovered a set of surprising security vulnerabilities in Apple's Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps' sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome," Xing told The Register's security desk. "Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store. "We completely cracked the keychain service - used to store passwords and other credentials for different Apple apps - and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps." The team was able to raid banking credentials from Google Chrome on the latest OS X 10.10.3, using a sandboxed app to steal the system's keychain data and secret iCloud tokens, and passwords from password vaults. Photos were stolen from WeChat, and the token for popular cloud service Evernote was nabbed, allowing it to be fully compromised. "The consequences are dire," the team wrote in the paper. Some 88.6 per cent of 1,612 OS X and 200 iOS apps were found "completely exposed" to unauthorized cross-app resource access (XARA) attacks allowing malicious apps to steal otherwise secure data. Xing says he reported the flaws to Apple in October 2014. Apple security bods responded to the researchers in emails seen by El Reg expressing understanding for the gravity of the attacks, and asked for at least six months to fix the problems. In February, the Cupertino staffers requested an advanced copy of the research paper. Google's Chromium security team was more responsive, and removed keychain integration for Chrome, noting that it could likely not be solved at the application level. AgileBits, owner of popular software 1Password, said it could not find a way to ward off the attacks nor make the malware "work harder" some four months after it was warned of the vulnerabilities. ("Neither we nor Luyi Xing and his team have been able to figure out a completely reliable way to solve this problem," said AgileBits's Jeffrey Goldberg in a blog post today.) The team's work into XARA attacks is the first of its kind; Apple's app isolation mechanisms are supposed to stop malicious apps from raiding each other. The researchers found "security-critical vulnerabilities" including cross-app resource-sharing mechanisms and communications channels such as the keychain, WebSocket and Scheme. "Note that not only does our attack code circumvent the OS-level protection but it can also get through the restrictive app vetting process of the Apple Stores, completely defeating its multi-layer defense," the researchers wrote in the paper. They say almost all XARA flaws arise from Apple's cross-app resource sharing and communication mechanisms such as keychain for sharing passwords, BID based separation, and URL scheme for app invocation, which is different from how the Android system works. Their research, previously restricted to Android, would lead to a new line of work for the security community studying how the vulnerabilities affect Apple and other platforms. Here's the boffins' description of their work: Source
  3. Uber insisted it had not been hacked following the discovery that log-in information for thousands of the car-sharing service's users is widely available on the online black market. Motherboard confirmed last week that several dark Web forums — hidden from the regular internet using the online anonymity software Tor — were selling working log-ins for Uber for as little as $1. Uber denies the information was taken from its own servers, however. “We investigated and found no evidence of a breach,” the company said in a statement. “Attempting to fraudulently access or sell accounts is illegal and we notified the authorities about this report.” An Uber log-in can not only be used to rack up fraudulent trips, but would also give access to the user’s travel history, exposing home addresses. An account also contains partial credit card information. Uber said the log-ins might have been lifted by either breaking weak passwords, or by trying passwords exposed in other data breaches. “This is a good opportunity to remind people to use strong and unique usernames and passwords, and to avoid reusing the same credentials across multiple sites and services,” Uber said. The company’s data security has made headlines in recent months. In late February, it came out that the personal information of up to 50,000 drivers had been compromised during a May 2014 breach. The 2014 hack is not related to the current rash of Uber log-ins for sale, the company said. Source
  4. When a company is breached, the typical reaction is to increase security across the board. But Twitch, the Amazon-owned game streaming company, has decided to reduce the minimum number of characters in user passwords, thereby allowing users to have less secure logins, in response to customer complaints. The attack was announced yesterday on a company blog, whilst emails were also sent to concerned users. There’s little detail on the extent of the attack; Twitch simply said all user passwords were to be reset after it detected possible unauthorized access to some Twitch user account information. According to the email sent to users, some cryptographic protections were used on passwords, but it wasn’t clear how strong they were. And it said it was possible passwords could have been captured in plain text by malicious code when users logged into the site on 3 March. Various kinds of data could have been compromised, including credit card information, in particular card type, a truncated card number and the expiration date. Usernames and associated email addresses, passwords, the last IP address users logged in from, phone number, address and date of birth were also potentially stolen. With all that information, a hacker would have a good chance of stealing a victim’s identity. Users started to complain en masse across Twitch’s social networks, however. Some said they couldn’t remember their password, others said when they tried to change their passwords to anything less than 20 characters they weren’t allowed, due to the site’s restrictions. Texan Twitch customer Corbin Ellis told the company on their Facebook page that “if users want to use bad passwords, that’s their problem, not yours”. Twitch caved to customer demands, announcing it would reduce the limit on minimum password length to eight characters minimum. Web security expert Troy Hunt told FORBES more than eight was surprisingly restrictive. “But what’s disheartening about this is that users have apparently baulked at creating passwords longer than eight characters so are clearly not getting the message on what constitutes a strong ‘secret’.” Authentication expert Per Thorsheim said it didn’t make sense to lower the length requirement after a breach. “I’d say on the contrary in many cases. In this specific case they have dramatically lowered their requirements. From a security perspective this could be justified by new and better ways of sending, [encrypting] and storing your passwords.” If any more evidence was needed that the username-password paradigm is a flawed form of authentication, the Twitch breach has provided. sursa: Amazon's Twitch Hacked, Caves To Angry User Demands For Less Secure Passwords - Forbes si-au cam luat la mumu twitch...
  5. Emails Nerdy #1 - Pastebin.com
  6. Am conceput un progr?mel pentru decriptarea/afi?area/salvarea parolelor salvate în browser-ul Google Chrome. Atunci când alegem s? salv?m parolele diferitelor conturi de pe diferitele site-uri pe care navig?m, Chrome salveaz? respectivele informa?ii într-o baz? de date SQLite numit? „Login Data”, localizat? în mod normal în C:\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default\ (bineîn?eles, înlocuind USERNAME cu numele de utilizator Windows). Câmpul de parol? este un câmp BLOB, adic? nu poate fi vizualizat în mod direct. Pentru criptarea sa, Chrome folose?te ca „seed” numele de utilizator al contului Windows, prin urmare, nu ve?i reu?i s? decripta?i o baz? de date Chrome decât logându-v? cu numele de utilizator Windows care a fost folosit pentru crearea bazei de date. Programul poate fi folosit pentru studierea ?i aprofundarea modului în care Google Chrome implementeaz? securitatea datelor, poate fi folosit pentru recuperarea numelor de utilizator ori a parolelor uitate, sau... pentru alte scopuri, în func?ie de imagina?ia fiec?ruia Pentru u?urarea... altor scopuri, am ad?ugat ?i o func?ie de exportare rapid? a datelor într-un fi?ier XML ce va fi salvat pe desktop (ChromePwd.xml). Executabilul compilat poate fi desc?rcat aici. Codul surs? (proiect Visual Studio 2013) poate fi desc?rcat aici. Enjoy
  7. A security consultant has published 10 million passwords along with their corresponding usernames in a move he characterized as both necessary and legally risky given a legal landscape he said increasingly threatens the free flow of hacking-related information. Most of the existing corpus of passwords exposed in hack attacks is stripped of usernames, preventing researchers from studying the possible relationship between the two fields. Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, said his sole motivation for releasing the data was to advance what's already known about the way people choose passcodes. At the same time, he said he was worried the list might land him in legal hot water given the recent five-year sentence handed to former Anonymous activist and writer Barrett Brown, in part based on links to hacked authentication data he posted in Internet chat channels. "I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment," he wrote in a post published Monday night on his blog. "I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me." Last March, federal prosecutors dropped criminal charges related to links Brown left in two Internet relay chat channels that were frequented by members of the Anonymous hacker collective. The links led to authentication data taken during the December 2011 hack on Strategic Forecasting by members of Anonymous. Before dropping the charge, prosecutors said the links amounted to the transfer of stolen information. Even though the charge was dropped, however, prosecutors still raised the linking to support their argument Brown deserved a long prison sentence. In Monday night's post, Burnett also raised changes the Obama administration is proposing to federal anti-hacking statutes. Many security professionals have said the revised law would outlaw the publication of links to public password dumps even if the person making the link had no intent to defraud. If the people sharing the information have any reason to believe someone might use it to gain unauthorized computer access, critics have argued, they would be subject to stiff legal penalties under the Computer Fraud and Abuse Act. Including usernames alongside passwords could help advance what's known about passwords in important ways. Researchers, for instance, could use the data to determine how often users include all or part of their usernames in their passwords. Besides citing the benefit to researchers, Burnett also defended the move by noting that most of the leaked passwords were "dead," meaning they had been changed already, and that all of the data was already available online. As password dumps go, 10 million is a large number, but it's still small compared to the seminal 2009 hack of gaming website RockYou, which leaked 32 million passcodes, 14.3 million of which were unique. Last year, The New York Times reported that Russian criminals amassed a database of more than one billion passwords gathered from more than 420,000 websites. As Burnett noted, what sets this latest dump apart is that it was made by a security professional with the goal of advancing the public understanding of password choices. Equally noteworthy will be the reaction it receives from prosecutors. Source
  8. magnet link sursa: https://xato.net/passwords/ten-million-passwords/
  9. Nearly half of people aged 16 to 24 foresee the end of passwords and pin numbers by 2020 as biometric security takes over, according to research by Visa. The research of 2,000 people revealed that 69 percent of respondents aged between 16 and 24 - dubbed 'Generation Z' - believe it will be easier and faster to use biometric identification than remembering passwords and pin numbers. This age group is also keen to adopt biometric security. Some 76 percent feel comfortable with the concept of making payments using biometric data. Jonathan Vaux, executive director at Visa Europe, told V3 that the use of biometric authentication in smartphones as seen in Apple's latest iPhones will help drive demand for the technology. "Fingerprint biometrics in particular are entering the mainstream as a security measure, with the likes of Apple and Samsung relying on biometric security to enter their phones, and more recently the launch of Touch ID and Apple Pay," he said. Generation Z also favours fingerprint scanning over other forms of biometric identification, the research revealed. Nearly 70 percent expressed a desire to use fingerprints rather than passwords, while 39 percent favour retina scans and 27 percent favour face recognition. Vaux explained that biometrics technology will continue to evolve, offering more secure identification by scanning vein patterns in fingers rather than fingerprint systems which can be hacked. This evolution of biometrics and increased demand from consumers will break down the scepticism and criticism that some consumers show for the technology. "We mustn't discount biometrics as a viable form of security. When passwords were first introduced consumers needed to be educated on how to be safe and secure when using them," said Vaux. However, Vaux does not believe that passwords will disappear completely, but will become a secondary layer of security to further reduce the risk of fraud. "There are some concerns surrounding biometric security measures, such as whether fingerprints can be reproduced. Biometric security could be coupled with password or Pin authentication to maintain higher levels of security," he said. "In the future there may not be one security measure, but a combination of several - the biometric equivalent of two-step authentication." Biometric security is undoubtedly becoming more widespread. Apple added its TouchID fingerprint scanner to the latest range of iPads and iPhones, and Barclays has introduced a tool that scans the vein patterns in a finger. Source
  10. A team of Internet security researchers has stumbled upon a massive online cache of more than 2 million hacked email addresses, usernames, and passwords. SpiderLabs, a division of online firm Trustwave that bills itself as an "elite team of ethical hackers, investigators and researchers," made the announcement Tuesday. The majority of hacked accounts come from major sites: Facebook, Yahoo, Google, Twitter, LinkedIn, and Russian and eastern European social networking sites odnoklassniki and VK. The thing that many of the hacked accounts had in common? Outrageously easy passwords. Tens of thousands of them had passwords like "12345," "1," "admin," and the ever-popular "password." As you'd expect, the fewer characters and complexity a password had, the more likely it was to end up on that list. The passwords had been harvested by an enormous botnet referred to as a "Pony," which the BBC referred to as "probably run by a criminal gang." As this Pony's operators did a good job of covering their tracks, SpiderLabs couldn't confirm where the attackers were based, though the dump was written in Russian. Source: The daily Dot More info: Look What I Found: Moar Pony! - SpiderLabs Anterior
  11. Dumpmon scours Twitter for sensitive data hiding in plain sight. Password and credit-card details leak online every day. So no one really knows just how much personally identifiable information is available by clicking on the right link to Pastebin, Pastie, or similar sites. Using a platform that runs on the hobbyist Raspberry Pi platform to drink from this fire hose, a security researcher has cataloged more than 3,000 such posts in less than three months while adding scores more each week. Dumpmon, as the project is called, is a bot that monitors Twitter messages for Web links containing account credentials, sensitive account information, and other "interesting" content. Since its debut on April 3, it has captured more than 3,300 records containing 1.1 million addresses, most of which are accompanied by the plaintext or cryptographic hash of an associated password. The project has also unearthed social security and driver license numbers, credit card data, and other information that could be used to hijack user accounts or commit identity theft. On average, Dumpmon collects 51 such posts each day. "It was mainly trying to determine how much information is being hidden from plain view and finding out how much information can be found just by looking in the right place," said Jordan Wright, a security engineer for CoNetrix. (Wright created the Dumpmon as an independent side project.) "It's pretty incredible. I wasn't expecting as much information as I found. I was expecting a lot less for sure." The "dumps," as the online data postings are called, are frequently published to embarrass the victims or as a means for hacking crews to demonstrate their prowess to rivals. Often, dumps are advertised on Twitter or another social networking site with a line or two of vague or cryptic text and a link. In the span it takes to comb through one such posting, a half-dozen or more additional dumps may be posted. The frequency makes it hard for outsiders to keep tabs. Of the 620 records Wright has analyzed in depth, the researcher recovered 174,423 e-mail addresses accompanied by a hashed or plaintext password. With so many sites using e-mail addresses as account user IDs, the data often gives attackers all they need to access multiple accounts maintained by a victim. In the event the owner has used the same address and password to secure other accounts—or even the e-mail address itself—attackers can reuse the credentials to hijack those as well. Of the 174,423 e-mail addresses Wright analyzed in depth, more than 120,000 of them were accompanied by a plain-text password. The remaining passwords were expressed as cryptographic hashes, which are frequently trivial to crack. Account credentials are by no means the only valuable data included in these postings. The 620 records Wright analyzed for this article also contained what appeared to be valid data for 1,496 payment cards. In many cases, data collected by Dumpmon included bank account numbers and home addresses. Other files observed by Ars included social security and driver license numbers, first and last names, addresses, and medical diagnoses contained on health records. Dumps also contained passwords stored on computers that had been infected by malware. "These full identity dumps are probably more of the higher commodity item," Wright said of the records containing social security numbers, names, and addresses. "As far as why these were dumped for free, that's the answer I'm looking for: Why people are giving this information out?" Some of the data—for instance, a recent dump posted to Pastebin that Ars will not link to—appears to be derived from browsers that were configured to store frequently used account IDs and passwords. When the computers are infected with malware, the credentials are dumped to a file that later gets posted online. The discoveries led Wright to publish a post documenting how Google Chrome, Internet Explorer, and other browsers store passwords. Incidentally, Wright concluded users shouldn't trust their passwords to these storage systems, but I'm not so sure. Any computer that is infected with malware that provides a backdoor onto the system is already vulnerable to wholesale password theft. In fairness to Wright, the sensitive details may be easier or quicker to gather en masse when they're stored in a browser. Other dumps cataloged by Dumpmon included private SSH encryption keys used to administer websites, configuration files for Cisco routers, and logs from successful malware infections. To keep things interesting, Dumpmon has been designed to run on the Raspberry Pi platform. "The goal was to find a happy balance between both obtaining new pastes from the different sites, as well as processing the existing pastes in the queue to determine if they are interesting," Wright said. "This created challenges, since the Raspberry Pi has limited hardware capability and I was monitoring for quite a few things." Because posts on Pastebin and other sites are often taken down by the original poster or site administrators, Dumpmon also copies and stores the contents of each one. While Wright has published the underlying code for anyone to use, he said he makes the cached data available only to white hat researchers. "I don't want to make it easier for the wrong people," he explained. "My goal was as best as I could only give it to people who will use it responsibly." Via
×
×
  • Create New...