Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Millions of Virgin Mobile accounts at risk of password attacks, which one customer proves by hacking his own account and not setting off any alarms   (arstechnica.com) divider line 31
    More: Fail, Virgin Mobile, Internet Crime, denial-of-service attack, passwords  
•       •       •

3648 clicks; posted to Main » on 19 Sep 2012 at 3:30 AM (2 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



31 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2012-09-19 12:52:42 AM  
Passwords must be all numbers and can be no longer than six digits, meaning there are no more than 1 million possible valid combinations.


Fail is an understatement, and it sounds like this guy cracked his own account with virtually no effort. Glad I'm not a virgin customer, I don't like using sites that make you use simple passwords.
 
2012-09-19 01:18:57 AM  
My virgin mobile password is more than six digits...


Still a shiatty pw scheme, though.
 
2012-09-19 03:35:53 AM  
I hack my own account every time I log into it.
 
2012-09-19 03:42:05 AM  
I lost interest in the headline after the first three words.
 
2012-09-19 03:49:00 AM  
i feel stupid some days ...anyways ...
 
2012-09-19 03:54:29 AM  
I use Virgin mobiles usb broadbandtogo service(don't laugh, its cheap and it works unlike Verizons) and my password is longer than 6 characters, dunno if the phone side is any different, and all an attacker could do if they did access my account is renew my subscription or cancel my service since changing passwords or upgrading to a new device seems to be more work than their webserver can cope with...

/3 hours on the phone with customer service to simply switch from the 3g to the new 4g usb device was a little extreme IMHO
 
2012-09-19 04:06:56 AM  
I was sure adding an extra digit would make my password uncrackable.
1.2.3.4.5...6
 
2012-09-19 04:10:34 AM  
From the editor's picked comments:

I work for a company that works with US DoD members. Because of their "government credentials", they must comply with heightened security requirements. Here's our website rules:

15 characters
2 uppercase
2 lowercase
2 special
no dictionary or personal characters (this is HARD to implement)
must change every 60 days
must change at least 4 characters each time
cannot use any of last 24 passwords
>> Locked out (human unlock) if 3 failed attempts in 60 minutes.


Wow, that's an incredibly stupid password policy. Know what happens when you try and make a password TOO secure? People can't remember them and write them on their desk/notepad/phone/wall.

Which is a more secure password? Random non-dictionary collection of numbers, lower case and upper case characters, or 4 random words strung together?

Impossible to remember: RE45to&*u543ui
Easy to remember: batterybatterycameraflash
 
2012-09-19 05:09:05 AM  

techbuzz: I was sure adding an extra digit would make my password uncrackable.
1.2.3.4.5...6


That's amazing, I have the same combination on my luggage.
 
2012-09-19 05:26:30 AM  

Rodrigues: From the editor's picked comments:

I work for a company that works with US DoD members. Because of their "government credentials", they must comply with heightened security requirements. Here's our website rules:

15 characters
2 uppercase
2 lowercase
2 special
no dictionary or personal characters (this is HARD to implement)
must change every 60 days
must change at least 4 characters each time
cannot use any of last 24 passwords
>> Locked out (human unlock) if 3 failed attempts in 60 minutes.

Wow, that's an incredibly stupid password policy. Know what happens when you try and make a password TOO secure? People can't remember them and write them on their desk/notepad/phone/wall.

Which is a more secure password? Random non-dictionary collection of numbers, lower case and upper case characters, or 4 random words strung together?

Impossible to remember: RE45to&*u543ui
Easy to remember: batterybatterycameraflash


NPR had a story early this year (don't know if it's still in their archives) that showed that length trumps complexity, big time!
 
2012-09-19 05:27:54 AM  
It's not just Virgin Mobile. There are banks and other online retailers don't update their databases to allow special characters is beyond me. Two-factor authentication would help as well.
 
2012-09-19 05:31:25 AM  
I thought Virgin phones came with a chastity case? Or do you have to go to that kiosk downmall?
/Better keep your phone off during the walk
 
2012-09-19 06:15:16 AM  

slayer199: It's not just Virgin Mobile. There are banks and other online retailers don't update their databases to allow special characters is beyond me. Two-factor authentication would help as well.


Just went through this with one of our e-mail providers; a friend's account has been hacked and so I changed our passwords, just in case. "What makes a secure password?" "At least one upper case letter" "Mixture of letters and numbers" "At least 6 characters"

Oh, P.S., "no symbols allowed" [facepalm]

So, how about two-factor authentication? [Google search on the provider's site = crickets]
 
2012-09-19 06:18:34 AM  
Oh, and giant bank [mortgage servicer]? No special characters allowed. Smallish credit union [daily use checking accounts]? Secure passwords and even usernames (cannot use account number or portion thereof), and two-factor authentication.
 
2012-09-19 06:26:04 AM  
Hurray. You're in my Virgin Mobile account. Not what?

It's not like they have my e-mails. I mean I suppose you could listen to my voic... nope. Those are all in Google Voice.
 
2012-09-19 06:49:53 AM  
Pretty soon it will be this:

Please choose a password:
A> Password #1
B> Password #2
C> Password #3
D> Password #4
 
2012-09-19 06:50:19 AM  
Big deal, they should write an article on me. I totally hacked into some douchebags computer. He's at 127.0.0.1. As I type this I'm deleting all his
 
2012-09-19 07:13:08 AM  

Rodrigues: From the editor's picked comments:

I work for a company that works with US DoD members. Because of their "government credentials", they must comply with heightened security requirements. Here's our website rules:

15 characters
2 uppercase
2 lowercase
2 special
no dictionary or personal characters (this is HARD to implement)
must change every 60 days
must change at least 4 characters each time
cannot use any of last 24 passwords
>> Locked out (human unlock) if 3 failed attempts in 60 minutes.

Wow, that's an incredibly stupid password policy. Know what happens when you try and make a password TOO secure? People can't remember them and write them on their desk/notepad/phone/wall.

Which is a more secure password? Random non-dictionary collection of numbers, lower case and upper case characters, or 4 random words strung together?

Impossible to remember: RE45to&*u543ui
Easy to remember: batterybatterycameraflash


imgs.xkcd.com
 
2012-09-19 08:48:17 AM  
He wanted to avoid putting any undue strain on the Virgin servers, so he limited the attack to one request per second for a few hours, or a little more than 10,000 requests in three hours.

Tomorrow we'll hear that Virgin/Sprint have pressed charges against this guy for putting undue strain on Virgin's servers...
 
2012-09-19 08:59:39 AM  
Donn C. Drummond in Disguise
Rodrigues:
Impossible to remember: RE45to&*u543ui
Easy to remember: batterybatterycameraflash

NPR had a story early this year (don't know if it's still in their archives) that showed that length trumps complexity, big time!


I would say it depends a bit on the kind of attack.
If someone brute-forces through all character combinations, longer should be more secure.
If someone uses a dictionary-based attack, it's only a matter of time and popularity of such passwords before there are rules that concatenate words and that also add numbers and the more common special characters between the words. 

But yeah, I've also used sentences as passwords here and there; stuff like "ohforfarkssakenotanotheruselesspasswordformetoremember"
 
2012-09-19 09:47:47 AM  
Seriously, it's a prepaid phone account...there really isn't THAT much you can do by having a username/password.

/Has T-Mobile prepaid...the damn account wouldn't let me create a password that contained the letter "v".
 
2012-09-19 10:21:23 AM  
Meh, most Virgin Mobile users probably followed this policy before it was created.
 
2012-09-19 10:47:19 AM  
My wife has a Virgin prepaid (and I know the password since I often top that up) for her fairly frequent trips to the US. All they could really find out is how often she called her buddy when she was down in WI for a month. Whoop-de-farking-dooo

/Unless they wanted to reload her phone, which would suit me :)
 
2012-09-19 11:21:28 AM  
About a year ago, I decided to try out Virgin Mobile's service, but when I got home and tried to activate the phone, I got ZERO signal. I guess I shouldn't have been surprised, seeing as how (in the US) it's a Sprint MVNO - and Virgin Mobile phones can't roam on other networks.

I ended up returning the phone for a refund. At least that went smoothly, and given the lame password requirements, it's probably just as well I didn't switch to them.

/all cell phone companies suck - in unique ways
 
2012-09-19 11:38:37 AM  

Donn C. Drummond in Disguise: NPR had a story early this year (don't know if it's still in their archives) that showed that length trumps complexity, big time!


Oh, certainly you must mean National Public Radio (http://nationalpublicradio.org/, which for some reason redirects to some insensible http://npr.org/ site)?
 
2012-09-19 12:05:41 PM  
Well, thanks for telling everybody, dumbass.
 
2012-09-19 01:20:35 PM  

Rodrigues: From the editor's picked comments:

I work for a company that works with US DoD members. Because of their "government credentials", they must comply with heightened security requirements. Here's our website rules:

15 characters
2 uppercase
2 lowercase
2 special
no dictionary or personal characters (this is HARD to implement)
must change every 60 days
must change at least 4 characters each time
cannot use any of last 24 passwords
>> Locked out (human unlock) if 3 failed attempts in 60 minutes.

Wow, that's an incredibly stupid password policy. Know what happens when you try and make a password TOO secure? People can't remember them and write them on their desk/notepad/phone/wall.

Which is a more secure password? Random non-dictionary collection of numbers, lower case and upper case characters, or 4 random words strung together?

Impossible to remember: RE45to&*u543ui
Easy to remember: batterybatterycameraflash correcthorsebatterystaple


FTFY.
 
2012-09-19 01:46:12 PM  

Rodrigues: From the editor's picked comments:

I work for a company that works with US DoD members. Because of their "government credentials", they must comply with heightened security requirements. Here's our website rules:

15 characters
2 uppercase
2 lowercase
2 special
no dictionary or personal characters (this is HARD to implement)
must change every 60 days
must change at least 4 characters each time
cannot use any of last 24 passwords
>> Locked out (human unlock) if 3 failed attempts in 60 minutes.

Wow, that's an incredibly stupid password policy. Know what happens when you try and make a password TOO secure? People can't remember them and write them on their desk/notepad/phone/wall.



My boss as a file in his cabinet labeled "passwords".
 
2012-09-19 04:02:15 PM  

Rodrigues: From the editor's picked comments:

I work for a company that works with US DoD members. Because of their "government credentials", they must comply with heightened security requirements. Here's our website rules:

15 characters
2 uppercase
2 lowercase
2 special
no dictionary or personal characters (this is HARD to implement)
must change every 60 days
must change at least 4 characters each time
cannot use any of last 24 passwords
>> Locked out (human unlock) if 3 failed attempts in 60 minutes.

Wow, that's an incredibly stupid password policy. Know what happens when you try and make a password TOO secure? People can't remember them and write them on their desk/notepad/phone/wall.

Which is a more secure password? Random non-dictionary collection of numbers, lower case and upper case characters, or 4 random words strung together?

Impossible to remember: RE45to&*u543ui
Easy to remember: batterybatterycameraflash


here's a better scheme...

J&Jw^th2f@pow - easy to remember

How?

Jack and Jill went up the hill to fetch a pail of water.

Want it more secure? add Evian in front of water.

That being said if your example is *really* a US DoD password scheme, that's sad. Here's a breakdown of how you could get 95% of the passwords relatively quickly... use their own rules... what do you see?

15 characters - *guaranteed* people are still using girlfriend's names, or wive's maiden names here, in addition to social security numbers due to the length. They'll also just use an 8 character password twice.
2 uppercase - These will mostly be done at the beginning in sequence as people hate to hold down the shift key and most people can't type properly in the first place.
2 lowercase - who doesn't already use this? this is the easiest for them to type...
2 special - These are always variations of "at" being "@", etc.
no dictionary or personal characters (this is HARD to implement) - This is really dumb as it eliminates a ton of possibilities people would *want* to use. In addition, I guarantee that names are mostly not in these dictionaries 99% of the time, especially foreign names.
must change every 60 days - This one pisses me off the most because people don't understand that this is the *primary* reason passwords aren't secure.. Sure, this leads some people to write them down, but *worse* is that it leads to an obvious pattern... the same password with only 4 characters changed... which is funnily your next requirement.
must change at least 4 characters each time - This leads to what I was getting at earlier... what's easiest to remember when you have to change your password so much and have to change 4 characters? changing the same four characters... okay then.. so you'll go in sequence... first time... 1234, second time 5678, etc.
cannot use any of last 24 passwords - this just makes *sure* they'll have to implement a repeatable scheme to remember their passwords.

When you apply these common ways to remember your password, how likely is it that there's a pattern among the employees? -Guaranteed, there's a pattern. Usually it's one of three used by everyone as they each tell each other how they handle the stupidity while not revealing their own password.

Based on this set of rules, I would guess at least one person is using this password...

$@Nity12$@Nity12

next month....

$@Nity34$@Nity34

etc.

and all of the others are some variation of the same scheme. If the dictionary catches "sanity", then just replace it with an Indian girlfriend's name.. say "Sarita" and you get the same effect.
 
2012-09-20 12:15:46 AM  
why would anyone hack virgin mobiles service? it's almost useless. i know because i use it.
 
2012-09-20 04:16:34 PM  
Additionally frustrating (and another cause of weaker passwords) is that so many places have such DIFFERENT utterly ridiculous requirements. This has led me to have "sets" of passwords. I have a simply throw-away password for stupid crap I don't care about like random forums and news sites. I have a stronger version of it for sites that accept it. I have another for those that require the typical two-caps, two-lower, two-numbers, two-specials. I have another that is my primary secure pwd that I use for important things that also accept it, and a dumbed down version for important things where restrictions prevent special characters and the like. It's really quite atrocious.
 
Displayed 31 of 31 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report