Wednesday, February 02, 2011

Human errors and Password Harvesting

This trick of collecting passwords came to my mind after me repeatedly committing the same mistake multiple times. Yes, call me an asshole but it happens. Its human to make errors. Its this human behavior that can be harnessed by any website or service to collect passwords.

How you say?

Simple. Store all the invalid passwords that the user has entered along with the login name.

This works because most people today are internet savvy and will have signed up for services like Email, SMS, Net Banking, Shopping etc. As we are humans and not machines, we find it difficult to remember multiple passwords. What do we do next? We agree upon common phrase and one variable phrase based upon the website or service or something else all together. A combination of the both is the complete password.
Whatever the combination we might agree upon, the time when we have to enter the password for service A, we type the password, but many times the wrong password or the password of some other website or service B.

So now you have a list of invalid passwords of a particular person, you have his personal information, like alternate email id, library card number(used as secret question, can be your customer id for a bank..or whatever) etc. What you do is simply try the invalid passwords on the alternate email id, against open-id enabled sites etc.There might be some more use cases but these two are the ones that come to my mind most of the time.

I am not good at writing. I know the closing of the post is improper. It sounds incomplete, cant help it. I said what I had on my mind.

Thank you for reading this :)

- yam

No comments: