Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Leaked Passwords On Display At a German Museum

timothy posted about 7 months ago | from the where's-your-scanner dept.

Security 42

Daniel_Stuckey writes "Earlier this year, it was London. Most recently, it was a university in Germany. Wherever it is, [artist Aram] Bartholl is opening up his eight white, plainly printed binders full of the 4.7 million user passwords that were pilfered from the social network and made public by a hacker last year. He brings the books to his exhibits, called 'Forgot Your Password,' where you're free to see if he's got your data—and whether anyone else who wanders through is entirely capable of logging onto your account and making Connections with unsavory people. In fact, Bartholl insists: "These eight volumes contain 4.7 million LinkedIn clear text user passwords printed in alphabetical order," the description of his project reads. "Visitors are invited to look up their own password.""

cancel ×

42 comments

My slashdots are fixed (-1)

Anonymous Coward | about 7 months ago | (#45689737)

No longer redirecting me to the beta. I am using from another IP than usual, though (but that may be coincidence). I hope for everyone else that they have stopped redirecting for everyone.

meanwhile (4, Funny)

marcello_dl (667940) | about 7 months ago | (#45689779)

I'd set up some cams to see what the visitors point at (getting the password or a narrow alphabetical space to bruteforce), and try to sniff their smartphone (fake open AP) so i get what the user could be. That will teach those suckers to look up their pass in public

Re:meanwhile (0)

Anonymous Coward | about 7 months ago | (#45691067)

they should have made the lookup electronic to make this even easier.

Woefully bad summary. (0)

Anonymous Coward | about 7 months ago | (#45689835)

See title.

Worse are sites with password constraints (2)

sandbagger (654585) | about 7 months ago | (#45689969)

I recently applied for a job on a web site. In addition to the usual infuriations (thanks for uploading your resume, please spend the next 45 minutes copying and pasting individual paragraphs into our form. Oh, and we don't support ASCII so good luck with those bullets) the password was constrained to A-Z and numbers only and under 10 characters.

I usually use a random string from something from a strong password generator script. Why any programmer with more than two brain cells to rub together would want a weak password is beyond mysterious to me. Probably some ding-dong in marketing demanded it.

Re:Worse are sites with password constraints (5, Funny)

Anonymous Coward | about 7 months ago | (#45690057)

Oh, and we don't support ASCII so good luck with those bullets

An EBCDIC website?

Re:Worse are sites with password constraints (2, Informative)

S.O.B. (136083) | about 7 months ago | (#45691159)

An EBCDIC website?

Awesome EBCDIC reference.

The true nerds will know what it is...the fanboi, pseudo nerds (the majority of Slashdot now it seems) will Google it and say they knew all along.

Re:Worse are sites with password constraints (1)

TheGratefulNet (143330) | about 7 months ago | (#45691839)

if not ebcdic, it could be baudot or SIXBIT. (yeah, I worked at DEC...)

Re:Worse are sites with password constraints (1)

S.O.B. (136083) | about 7 months ago | (#45703381)

Whooosh!!!!

Re:Worse are sites with password constraints (1)

sandbagger (654585) | about 7 months ago | (#45691179)

OP here:

It'd not be a problem except that they don't tell you until after you submit the text, and then go back to check. I mean, it's nearly 2014, you'd think some basic support for formatting would be on most web sites. Actually, scratch that. Extensive support for text formatting when you're asking Joe/Jane consumer to paste in a resume should be ready.

Why?

People will more often than not be pasting from a Word file. Yes, most of that formatting can be ignored because Word tends to fill formatting with no end of wrappers but replacing bullets and dashes with character strings is silly.

Re:Worse are sites with password constraints (2)

zippthorne (748122) | about 7 months ago | (#45690185)

Why any programmer with more than two brain cells to rub together would want a weak password is beyond mysterious to me. Probably some ding-dong in marketing demanded it.

Because they're storing the password in plain text in the database and disk space was expensive in 1986.

This might not be the programmer's fault. It might be that the requirements were written in 1986 and whoever wrote them didn't understand the concept of password reset or hadn't heard of cryptographic hash functions.

Re:Worse are sites with password constraints (5, Interesting)

AnttiV (1805624) | about 7 months ago | (#45690211)

Amen to that. The funny (or sad) thing is, this is too common, even in this age. One of the largest ISPs/Carrier Networks here in Finland has a hilariously stupid password rule set. Note: As much as I'd like it to be, this is not a joke.

1) 8-16 characters.
2) a-z, A-Z, 0-9 ONLY (Note: Although this is a Nordic country, this still excludes our normal day-to-day use letters ä, ö and å.
3) No three same characters in the entire password. NOT sequential or one after the other. In the *whole* password. (So "2rv8b23r09vnbn2" would not do, because "2" is there three times).

4) NO rule for sequential numbers/characters.

What this all comes to, is that the system gladly accepts "12345678" and "abcdefg" as perfectly viable and good passwords, but doesn't allow "j243508vubj234gj", "#a&%B3bv#sdf#" or "correct horse battery staple" to be used.

Re:Worse are sites with password constraints (3, Insightful)

JLennox (942693) | about 7 months ago | (#45691125)

I've worked with designers that though more rules = more secure, which is the opposite of true. More rules = less key space.

Re:Worse are sites with password constraints (1)

maxwell demon (590494) | about 7 months ago | (#45693519)

a-z, A-Z, 0-9 ONLY (Note: Although this is a Nordic country, this still excludes our normal day-to-day use letters ä, ö and å.

While the restriction to letters and digits only clearly is too strong (any non-control character in ASCII — that is, character codes 32 to 126 — should be allowed, and such characters increase the security of the password), I can totally understand not supporting letters outside the basic ASCII range. For those, there's a non-negligible chance of them getting incorrectly encoded, which causes mysterious password failures despite you having entered the password correctly. Which is especially bad if it happens when setting your password.

Re:Worse are sites with password constraints (0)

Anonymous Coward | about 7 months ago | (#45690317)

Maybe you should encode your bullets as UTF-8?

Re:Worse are sites with password constraints (0)

Anonymous Coward | about 7 months ago | (#45690449)

Bank of Montreal's online banking allows only six A-Z characters. Not even numbers are allowed. That was still true when I finally left them for another institution (which has no constraints) earlier this year.

Re:Worse are sites with password constraints (2)

Johann Lau (1040920) | about 7 months ago | (#45690489)

It's also a huge red flag considering you're only supposed to store hashes of some variety, never the password itself. If how long the password is doesn't affect the length of what you store in the database at all, what is the point of limiting it, right?

Re:Worse are sites with password constraints (0)

Anonymous Coward | about 7 months ago | (#45690921)

well, then some idiot wants to have newlines in their password...

Re:Worse are sites with password constraints (1)

digitalchinky (650880) | about 7 months ago | (#45692711)

There is nothing idiotic about allowing newline in a form field, just that most user interfaces are likely to have an event listener that does something a little more logical with \r, \n, or \r\n making it difficult or simply not possible to use.

Re:Worse are sites with password constraints (1)

93 Escort Wagon (326346) | about 7 months ago | (#45690941)

Why any programmer with more than two brain cells to rub together would want a weak password is beyond mysterious to me. Probably some ding-dong in marketing demanded it.

While it's not quite at the same level... even now, some of Microsoft's web logins restrict the password to 16 characters.

A couple months ago, when I was setting up an account for one of their services (Lync? Live.com? Microsoftstore.com? I don't remember) to do some testing for work - I generated one of my typical somewhere-between-16-and-24-character passwords, but it was rejected because it "needs to be 16 characters or less".

Re:Worse are sites with password constraints (1)

maxwell demon (590494) | about 7 months ago | (#45693493)

Oh, and we don't support ASCII so good luck with those bullets

Sorry, I can't find the bullet in ASCII.

Abmahnung (1)

Teun (17872) | about 7 months ago | (#45689971)

Some German law office needs to send him an Abmahnung for using my copyrighted (life + 70 years) password!

Because he needs to understand copyright as an IP deserves better protection than other kinds of property.

Re:Abmahnung (0)

Anonymous Coward | about 7 months ago | (#45690019)

Well you won't get anywhere posting on slashdot. Hire a lawyer and sue him ASAP. Just to be safe hire 2 lawyers... Lawyers love to take money from nutcases like you.

Re:Abmahnung (0)

Anonymous Coward | about 7 months ago | (#45691557)

And since court cases are public, the world will soon know what your password is (or what algorithm you use), and you'll have to change it anyway.

I logged into my account and closed it. Problem s (3, Interesting)

jasonbrown (142035) | about 7 months ago | (#45690029)

I can't remember why I needed them in the first place anyways.

Re:I logged into my account and closed it. Problem (1)

melstav (174456) | about 7 months ago | (#45690647)

What's LinkedIn?

Re:I logged into my account and closed it. Problem (1)

antdude (79039) | about 7 months ago | (#45692765)

To find employments?

Re:I logged into my account and closed it. Problem (0)

Anonymous Coward | about 7 months ago | (#45693723)

No. It's a site similar to Facebook where stupid people connect other stupid people and then brag about how rich their social network is.

Re:I logged into my account and closed it. Problem (0)

Anonymous Coward | about 7 months ago | (#45701661)

It supposedly lets folks "do networking" to get referrals and news of openings. I don't know what their hire-rate is. From what little I've seen, it's more of a circle-jerk scam, everybody up-rating everybody else; among other things they want you to upgrade to their "pro" level where you pay for site-internal messaging and other groovy stuff.

I joined a while back with the idea of using it as a way to get in touch with some old friends. While a few are there, I don't have the time or inclination to learn the ins and outs well enough to twist it to my purposes, so will likely drop my account and connect with the old buds elsewhere (and no, _NOT_ on Facebook.)

Really? Anyone Else? (1)

TubeSteak (669689) | about 7 months ago | (#45690179)

Because Linkedin didn't force a password reset for all those accounts already?

Re:Really? Anyone Else? (0)

Anonymous Coward | about 7 months ago | (#45690571)

Because most people use the same password everywhere.

I hope they don't have mine (0)

Anonymous Coward | about 7 months ago | (#45690191)

I used the same password for my Linked In account as my luggage

They'll find mine in the list (3, Funny)

jeauxkewl (1465425) | about 7 months ago | (#45690297)

It's the same as all my others. *************

Re:They'll find mine in the list (4, Funny)

wonkey_monkey (2592601) | about 7 months ago | (#45691677)

hunter2

New interface sucks! (0)

Anonymous Coward | about 7 months ago | (#45690781)

I'm still getting the beta forced on me :-(

Did anyone consider letting users choose or have they been bought by yahoo?

LinkedIn? (1)

RedHackTea (2779623) | about 7 months ago | (#45690981)

Who cares.

Installation Piece (1)

aaronb1138 (2035478) | about 7 months ago | (#45691435)

He forgot to include the parts of the installation where a series of cameras and mics watch your eye movement, page number, and breathing to compile a short list of password roots from which to compromise your other accounts.

That's twice in two days now, Daniel_Stuckey (1)

wonkey_monkey (2592601) | about 7 months ago | (#45691537)

Could you take just a little more care with your copy-paste submissions? This is twice in two days that you've copied the second and third paragraphs of a story, thus robbing the initial sentences of their context. Example:

Earlier this year, it was London. Most recently, it was a university in Germany. Wherever it is, [artist Aram] Bartholl is opening up his eight white, plainly printed binders full of the 4.7 million user passwords that were pilfered from the social network and made public by a hacker last year.

Which social network?

Yes, it's specified further down in the submission, but more by luck than judgement, I suspect.

Makes one wonder if you're actually a sentient being.

I fucking hate... (3, Funny)

russotto (537200) | about 7 months ago | (#45693071)

...conceptual art.

Common password (0)

Anonymous Coward | about 7 months ago | (#45694495)

One that is often used in dictionary attacks: ncc1701

what social network. more poor editing. (0)

Anonymous Coward | about 7 months ago | (#45694539)

for real the /. says "the social network" WHICH ONE

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...