mask.of.sanity (1228908) writes
"eBay Japan created passwords for accounts based on a combination of a username plus a static salt, allowing anyone with knowledge of it to access any account, a researcher reported. The salt, which should have been random, used was the combination '123456', which was reported as last year's worst password." Complete with
visual aids.
looks like both. password = crypt(username+salt)
By raymorris
•
2014-Mar-27 16:04
• Score: 5, Informative
• Thread
My interpretation is that they used a) as b), which should be fine if the salt was actually salty. I think they did:
default_password = crypt(username+salt)
That would be fine if they used real salt (random), but instead they used Mrs. Dash salt substitute.
Not salt
By blueg3
•
2014-Mar-27 16:20
• Score: 5, Informative
• Thread
It looks from the video that the password is simply the username concatenated with a global string, "123456".
That's not salt. That's not what the word means. A salt is data that is not part of the password but is combined with the password when hashed. The client side never sees salt.
So all these discussions of salt are not at all relevant.
This is fundamentally a case of hard-coded credentials, which is more stupid than a non-random salt. (Also, really, transmitting credentials over HTTP?)
Re:Not salt
By jxander
•
2014-Mar-27 16:24
• Score: 5, Funny
• Thread
We'll call this "just a pinch of salt"
Same for all Four Users?
By fullback
•
2014-Mar-27 16:51
• Score: 3
• Thread
I've lived in Japan for over 20 years and I, like probably most people in Japan, didn't know it even existed.
Re:Hey
By marcansoft
•
2014-Mar-27 17:15
• Score: 5, Interesting
• Thread
Sorry for the threadjack, but this is yet another case of horrible security reporting.
From watching the video, what it seems happened here was that eBay chose phpBB for their community forum, but did not integrate its authentication system directly with eBay's on the server side. Instead, the site was set-up as a standalone system, and whoever implemented the integration had the bright idea of hardcoding the forum password for everyone as username+123456, and then just having the eBay login page issue a hidden POST request behind the scenes to authenticate users to the community forum section.
Thus, this allows anyone to trivially impersonate anyone else on the forum. It shouldn't have anything to do with the rest of the site, though. Nor does this have anything to do with initial passwords, salts, or any of the other terms that have been thrown around.
A case of absolutely retarded login integration for the community site, but not something that would allow people to take over others' main eBay account. What this says about the people running eBay is another matter entirely...