Re: [From Community Talk] What users' want: Phishers and the Hotmail 10k Password Lis

From what I understand of this scam, the root issue is the same as most other security holes; the human variable. The mass majority in the corporate sector use inherently weak passwords, and unfortunately, believe that if it's on a website, it must be okay. The issue isn't that Microsoft, or any other company has weak security features, it's that their security requirements for users are too lax. Add the social networking craze into the mix, and you're bound to get a variable shitstorm of the gullible literally handing their credentials to scammers.

This paragraph is my own view and my own view only, take it as an opinion. As your analysis pointed out, the majority of passwords were what most would consider insufficient. Personally when I see a group of weak passwords, I see a person who assumes that they actually are the 10,000,000th visitor to the website and have actually won that iPod Touch. I would assume that this type of user is young, and therefore heavily involved in social networking and actually gives a rat's ass if someone blocks them on an IM client, making them the perfect target for this kind of thing.

Now will Microsoft, or any other service provider stop the scam in it's tracks by blocking a few IP's? I doubt it. I'm sure any forum admin, from any forum, can attest to this one; If you were to block a forum account that is putting out malicious, probably automated spam, is that going to deter that same spam bot trying again from another source? Not likely. The best solution I can think of is the same one you did, make it a feature of your client. Something as simple as the automated offline message "This message cannot be delivered" blah blah blah "This user is not accepting your messages at this time" etc. etc. Shit even an automated message at the moment of blocking "This user has chosen to no longer accept your messages" would do the job.

Though regardless of what features you put in place, regardless of what measures you take, there will always be the human variable. Does the user use a good password? Can the user recognize what is a legitimate service versus what is likely to be a malicious attempt at credential theft? After all, Microsoft will flat out tell you your password sucks, and they'll flat out tell you not to share your password with a 3rd party. Unfortunately, it's not a good business practice for IM, webmail, and social networking service providers to require a good password. They have millions upon millions of users, and the vast majority of them would be displeased with such requirements and simply move on to other service providers. Though I personally dislike t-shirts and bumper stickers with slogans, at least one has it right; "...Because there is no patch for human stupidity."

Re: [From Community Talk] What users' want: Phishers and the Hotmail 10k Password Lis

Report on the analysis of 32M passwords

http://www.net-security.org/secworld.php?id=8742

Re: [From Community Talk] What users' want: Phishers and the Hotmail 10k Password Lis

I see not much has changed in a long time!!!

Re: [From Community Talk] What users' want: Phishers and the Hotmail 10k Password Lis

...and speaking of weak passwords.

http://therumpus.net/2010/01/convers...oyee/?full=yes

I'd hope they changed it to something a little more strong than Chuck Norris.



<cue the jokes in 3....2....1>