On 08/12/2014 09:23 PM, Carlos E. R. wrote:
I know some people that use the exact same 4 digit "password" on all the places, from credit card pin to google.
In one sense I can't say I blame them. You've recounted a good example of the ISP/database people being idiots. I too have encountered a site just recently that allowed ':' but not ';' and didn't say anything when I entered a password with a ';'. Not until I pressed 'submit', and then it said 'passwords don't match'. Which wasn't the error. So I installed that plugin for Firefox that makes password fields visible and verified that both fields had the same, EXACTLY the same, and it still said that. The support people did not understand why it wasn't working. They did not know about this quirk. As it turned out neither did the web site admin nor the database people, because this was a commercial package they had bought. No-one had actually RTFM. While they pressured me into using some other password I did so only on condition they sent up a bug report to the vendor. The original developers had long since left the vendor's employ and this baffled them for about a week. I happened across that cartoon and wondered, so I sent a copy to the ISP support and they sent it to vendor support. At first vendor support, so I'm told, dismissed it as "That can't possibly be what's wrong". The someone did test it and LO! All this time that site, every site using that vendor's software, had been vulnerable to SANS' #1 vulnerability: SQL injection. http://cwe.mitre.org/top25/index.html#Listing That and buffer overflow have been at the top for a couple of decades now. http://www.infosecurity-magazine.com/news/sql-injection-most-dangerous-threa... http://www.infosecurity-magazine.com/news/more-than-8-in-10-software-applica... <quote> The latest State of Software Security Report captures data collected over the past 18 months from the analysis of 9,910 applications (compared to 4,835 applications in Volume 3) that were submitted to Veracode’s cloud-based application security testing platform. For web applications, the report found a high concentration of cross-site scripting and SQL injection vulnerabilities, with cross-site scripting present in 68% of all web applications and SQL injection present in 32% of all web applications. Those vulnerabilities were found to affect a higher percentage of U.S. government web applications than private industry. The survey found that 75% of government applications had cross-site scripting issues compared to 67% for the finance sector and 55% for the software sector; 40% of government applications had SQL injection issues, compared to 29% for finance and 30% for software. </quote> Given figures like that its no wonder hackers steal millions of account entries. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org