by Alphaville Herald on 27/12/09 at 3:02 pm
Rainbow tables, SQL injection, and why you want to use a different password for e-mail
by Pixeleen Mistral, National Affairs desk
The new Try All Your Chance blog details the frightening extent of the BanLink security problems that led to the Second Life ban list sharing site's apparent demise – and suggests that BanLink user passwords might as well have been stored in plain text given the lack of site security.
"Names, passwords, email addresses; 100% of the data the site had,anyone could view and even modify. Even without access to the membersarea of the site."
BanLink was a popular shared Second Life ban list service that was ultimately neglected by its creators and afflicted with fundamental serious security issues – a story the Herald broke in September after being tipped to the fact that certain URLs caused the BanLink site to share supposedly secret ban information with world+dog on teh interwebs.
The Try All Your Chance coverage is notable for a lucid discussion of the moral dilemma that is responsible disclosure of exploits – followed by a hands-on detective story that explains exactly how poorly protected BanLink user passwords were and how the BanLink web site was ultimately put in perma-maintenance mode.
When data is at risk and the administrators are missing, it can be hardto figure out a moral course of action. Ignoring it and doing nothingleaves all the users unknowingly at risk, but disclosing it publiclypotentially exposes them to even more risk. Even when theadministrators aren't missing, it can be hard to spur them into actionwithout hard evidence of a serious problem. I knew that word wasalready spreading, and that the Herald was about to go public with theinformation, so I set out to see how much I could get the site to giveme.
The philosophical discussion is followed by a step-by-step how-to guide illustrating worst practices in web site security. By crafting URLs with embedded database queries – a technique known as SQL injection – the author deduces the database structure, locates the table with user accounts, e-mail addresses, and passwords. With access to the password table, the weak encryption is almost immediately broken by use of pre-computed password hashes known as rainbow tables.
"BanLink stored unsalted MD5 hashes of passwords, which is about as good as storing them in plain text."
Wrapping up the cautionary tale with practical advice, Try All Your Chance points out that using the password for your e-mail account for any other service is a very bad idea – since most sites will reset passwords by sending a message to your e-mail.
With practical, lucid of coverage of interwebs and metaverse deep tech, Try All Your Chance is a must-read blog for 2010.