11th Jan 2009
The Dictionary Hack
It’s an old trick, the dictionary hack. Hook up a server login page with a dictionary file and run all the words as passwords until you hit something. In this case, the program got to “H” for happiness, before the server opened up and all of the Twitter goodies fell out.
It’s not that impressive to me that the perpetrator was 18. Who else has all that time to spend, just to misspell Bill O’Reilly’s name on the FOX Twitter stream and let us all know he’s gay. What is impressive to me is that the security was so lax at Twitter that this was able to happen.
Via Twittown:
The details of the rudimentary hack reveal a startling lack of essential security within Twitter’s halls, and raises eyebrows about the potential for Twitter to be marketed as an internal collaboration tool for business use. The so called dictionary-hack has been a mainstay of hackers for decades, and the servers should have been configured to recognize the repeated login attempts. A lack of strong password enforcement (ensuring that passwords are complex) and a failure to “lock out” accounts after multiple failed attempts are a breeding ground for would be hackers and crackers - with a situation like that, it was only a matter of time.
As far as hacks go, this one was relatively harmless (though the Twitter execs trying to monetize the service may disagree with me on that point). Nobody’s bank account was drained. Nobody really believed O’Reilly was being outed by FOX News.
What’s interesting to me is how we use words as code. When we type them over and over into a server to get access to a website, they lose their meaning. Do you think that whoever set the “happiness” password felt happy every day while he or she typed it in? Devoid of context, words become little more than letter patterns, in this case motor commands from the brain. If there is any meaning, it’s “let me in, already.”
Say a word again and again, until the syllables run together, and you have a group of circular phonemes, not a word at all. (What the hell does “Om mani padme hum” mean, anyway?)
Names have a similar sort of meaning transfer. When I took the name Ruby, I thought a lot about its meaning. Now I rarely think about it, and I’m sure when my wife hears the word Ruby, she thinks of me before she thinks about a red stone with the hardness of nine mohs.
I am a word addict, but of all the qualities of words, the one I like best is that they mean something. They are the most basic metaphor of our human lives.
If there’s a moral to this story, it’s don’t use common words as passwords. I would argue further that we should not use anything with meaning as a password. Let’s keep those meanings sacred, shall we? After all, 8-letter/number/symbol patterns are infinite. The number of words in any dictionary, on the other hand, is decidedly finite.
It’s an old trick, the dictionary hack. Hook up a server login page with a dictionary file and run all the words as passwords until you hit something. In this case, the program got to “H” for happiness, before the server opened up and all of the Twitter goodies fell out.
It’s not that impressive to me that the perpetrator was 18. Who else has all that time to spend, just to misspell Bill O’Reilly’s name on the FOX Twitter stream and let us all know he’s gay. What is impressive to me is that the security was so lax at Twitter that this was able to happen.
Via Twittown:
The details of the rudimentary hack reveal a startling lack of essential security within Twitter’s halls, and raises eyebrows about the potential for Twitter to be marketed as an internal collaboration tool for business use. The so called dictionary-hack has been a mainstay of hackers for decades, and the servers should have been configured to recognize the repeated login attempts. A lack of strong password enforcement (ensuring that passwords are complex) and a failure to “lock out” accounts after multiple failed attempts are a breeding ground for would be hackers and crackers - with a situation like that, it was only a matter of time.
As far as hacks go, this one was relatively harmless (though the Twitter execs trying to monetize the service may disagree with me on that point). Nobody’s bank account was drained. Nobody really believed O’Reilly was being outed by FOX News.
What’s interesting to me is how we use words as code. When we type them over and over into a server to get access to a website, they lose their meaning. Do you think that whoever set the “happiness” password felt happy every day while he or she typed it in? Devoid of context, words become little more than letter patterns, in this case motor commands from the brain. If there is any meaning, it’s “let me in, already.”
Say a word again and again, until the syllables run together, and you have a group of circular phonemes, not a word at all. (What the hell does “Om mani padme hum” mean, anyway?)
Names have a similar sort of meaning transfer. When I took the name Ruby, I thought a lot about its meaning. Now I rarely think about it, and I’m sure when my wife hears the word Ruby, she thinks of me before she thinks about a red stone with the hardness of nine mohs.
I am a word addict, but of all the qualities of words, the one I like best is that they mean something. They are the most basic metaphor of our human lives.
If there’s a moral to this story, it’s don’t use common words as passwords. I would argue further that we should not use anything with meaning as a password. Let’s keep those meanings sacred, shall we? After all, 8-letter/number/symbol patterns are infinite. The number of words in any dictionary, on the other hand, is decidedly finite.
Posted by Rubesy under 
dictionaries, words 
No Comments »
