1 minute, 34 seconds
As a fan of security and strong passwords, I read with interest Lifehacker’s article about how easy it is to hack passwords. In general the article is right on the money and I agree with it’s message. However, I took issue with the article on two points.
The first point they’re talking about how easy it is to either guess or brute force your passwords. Guessing and forcing passwords can be done over the Internet with out needing to compromise your (the victim’s) computer. However, the last step is “simply” to get at the cookies on your local machine:
But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)
– Lifehacker Mar 30, 2010
For me this is crossing the line from informative into fear mongering. Yes, once you have logged into some one’s computer as the user they surf the internet as, it is indeed trivial to read cookies. No, this can not be done over the Internet. No this is not a simple step to make.
The second point (now that I’m not drafting this on my phone and am using a real computer) I see that the original article was published in 2007! Just about all the info in the original article still holds true 3 years later, but I find awkward when the article on Lifehacker has items like this in the article:
EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.
Which made me think it was a Lifehacker edit in 2010, but was in fact an edit from John Pozadzides in 2007. Speaking of Pozadzides, his blog looks pretty right on and I don’t really have any beef with him (in that totally anonymous Internet beef kind of way), but I mainly take issue with fear mongering, especially when in comes to cookies.
Update: This article seems to be making the rounds on a lot of sites.
Update 2: There’s a great comment from Wangston below.
you don’t need local access to steal cookies. many/most XSS attacks allow the attacker to steal cookies remotely. there are also a lot of MITM attacks you can use to steal cookies (if i control your DNS, then you send me your cookies!)
Wangston – Excellent point! My hackles may have been prematurely raised when I read the article. Indeed, the XSS scenario you describe is exactly how the Jira/Apache hack was executed. However, I still feel there’s a level of sophistication for a good XSS hack that’s different then a script kiddie brute force.