Results 1 to 5 of 5

Thread: Windows Live login suggested as Xbox Live security flaw [Joystiq]

  1. #1
    ServBot (Level 11) DP ServBot's Avatar
    Join Date
    Jun 2007
    Location
    Cyberspace
    Posts
    3,436

    Lightbulb Windows Live login suggested as Xbox Live security flaw [Joystiq]

    Since reporting on the "FIFA hack" and related security concerns with Xbox Live and the Windows Live ID system, we've received stories, documentation and theories on how this is happening from dozens of victims. As we continue to follow up on several leads, Analoghype posits an interesting theory on how some of these breaches may be occurring.

    AH suspects that the hackers grab gamertags from a game of Halo or Call of Duty, then Google the tags to find associated emails on social networking sites. They now have a potential list of Windows Live IDs. Going to Xbox.com, the hacker can now test if the email is a valid ID by attempting to sign in. An error message of "account is invalid" has them moving on to another email; "password is incorrect" means they've got a real account, but a bad password.Continue reading Windows Live login suggested as Xbox Live security flaw
    Windows Live login suggested as Xbox Live security flaw originally appeared on Joystiq on Fri, 13 Jan 2012 11:50:00 EST. Please see our terms for use of feeds.

    Permalink | Email this | Comments

    More...
    I am not a real person. I am the Digital Press ServBot, in active duty, assigned to fetching various RSS feeds and posting them here. If you can suggest a better feed source please PM a moderator or admin.

  2. #2
    Paↄ-Man (⅃evel 10) RP2A03's Avatar
    Join Date
    Nov 2009
    Location
    59 6F 75 72 20 48 44 44 20 61 64 64 69 6E 67 20 65 6D 62 61 72 72 61 73 73 69 6E 67 20 64 61 74 61
    Posts
    2,807

    Default

    This is just another reminder that all important passwords should be long, random, and never recycled.

    Also, secret questions are bullshit.
    Mario says "... if you do drugs, you go to hell before you die."

  3. #3

    Default

    I don't buy it, i don't think the passwords are being brute forced. Even the dumbest sysadmin would notice 20,000 incorrect password attempts per login.

    It's *far* more likely that the passwords were obtained through security breaches on other websites, like the 1,250,000 email address/password combinations that gawker leaked in 2010. Even this website's security is questionable, who knows if someone's already grabbed a dump of the database and "decrypted" the passwords offline.

    There are plenty of places on the web where you can insert an email address, and it'll tell you the passwords they've used on compromised websites. Password reuse is deadly, but it's impossible to remember a new password for everything you log into.

    As was mentioned above:

  4. #4
    Cherry (Level 1) Custom rank graphic
    VertigoProcess's Avatar
    Join Date
    Sep 2011
    Location
    Delray Beach, FL
    Posts
    302
    Xbox LIVE
    vertigoprocess

    Default

    Windows live locks you out after so many attempts... I forgot my password one time and was able to make it worse by guessing until I got locked out...
    Hardware Collection

    Nintendo: NES, SNES (Model 1 and 2), N64, GCN, Wii, Gameboy Classic, Gameboy Pocket (Model 1 and 2), Gameboy Color, GBA, SP (Model 1), DS, DS Lite, DSI
    Sega: SMS (Model 1), Genesis (Model 1, 1.5, 2, 3), 32X, Saturn (Model 2), Dreamcast, Nomad, Game Gear
    Atari: 2600 (Heavy Sixer, Sixer, Four Switch, Sunnyvalle, Vader, JR Short rainbow, JR, Sears Four, Sears Sixer), 5200 (4 Port), 7800 PRO
    MIS.: Magnavox CD-I, 3DO FZ-1, 3DO Goldstar, TG 16, Intellivision, Action Max, XBox, 360, PSX, PS3, PSP, Wonderswan B/W, Game Com, NEO GEO Pocket Color

  5. #5
    DP's favorite trollbait Custom rank graphic
    Kitsune Sniper's Avatar
    Join Date
    Aug 2003
    Location
    Calexico, USA
    Posts
    13,841
    Xbox LIVE
    FoxhackDN
    Steam
    Foxhack

    Default

    Quote Originally Posted by ProgrammingAce View Post
    I don't buy it, i don't think the passwords are being brute forced. Even the dumbest sysadmin would notice 20,000 incorrect password attempts per login.

    It's *far* more likely that the passwords were obtained through security breaches on other websites, like the 1,250,000 email address/password combinations that gawker leaked in 2010. Even this website's security is questionable, who knows if someone's already grabbed a dump of the database and "decrypted" the passwords offline.

    There are plenty of places on the web where you can insert an email address, and it'll tell you the passwords they've used on compromised websites. Password reuse is deadly, but it's impossible to remember a new password for everything you log into.

    As was mentioned above:
    I hate that comic because it seems to me like it's using the wrong calculations. Why is it using 2^28? Shouldn't it be (as many characters that can be used on a password)^28? I mean, taking into account that most sites allow uppercase letters, lowercase letters and numbers, that would be 26 (A-Z) + 26 (a-z) + 10 (0-9), so shouldn't it use 62^28 instead?

    Windows calculator says that number is 1.538038851104056746784345972931e+50. Divide that by 86400000 (1000 attempts per second x 60 seconds x 60 minutes x 24 hours) and you get 1.7801375591482138272966967279294e+42 days. Which is around 4.8770892031457913076621828162449e+39 years.

    And the bottom one using the four random words is isn't really that more secure because it's using WORDS. That can be cracked using dictionary attacks. Wikipedia says the Oxford English Dictionary has around 250,000 words, and we have four words, so 250,000^4 = 3906250000000000000000. Divide that by the 86400000 attempts per day, then divide that by 365 per year, and you get 123866374936.58041603247082699137 years. Which, again, is still a lot of time.

    I dunno. this just doesn't sit well with me.

    Edit: And no, I'm not a math wizard, in fact I have a lot of problems with math. BUT the way the strip is written doesn't seem right to me. I could be wrong, and I probably am.
    Quote Originally Posted by Edmond Dantes View Post
    I can't tell if we're discussing My Little Pony or Neon Genesis Evangelion anymore.
    eBay Auctions / GameTZ profile / DP Feedback / Youtube / Twitter / RateYourMusic

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •