Phishing != cracking passwords

Friday, 9 October 2009 07:29
pne: A picture of a plush toy, halfway between a duck and a platypus, with a green body and a yellow bill and feet. (Default)
[personal profile] pne

I just read a news article (in German) about the username/password lists with Hotmail, Yahoo! and Gmail users.

I was a bit disappointed to read that the passwords were referred to as having been "cracked" ("gaben ... bekannt, dass Passwörter von Privatkonten geknackt und im Internet veröffentlicht worden seien" = "... announced that passwords of individual accounts were cracked and published on the Internet") when in fact it appears that the passwords were obtained through phishing ("Hotmail, Yahoo und Gmail erklärten übereinstimmend, dass die Zugriffe auf die persönlichen Daten nicht durch Lücken in den Sicherheitsprogrammen, sondern durch Phishing zustande gekommen seien. Dabei werden Nutzer etwa mit betrügerischen E-Mails zur Preisgabe geheimer Daten gebracht." = Hotmail, Yahoo, and Gmail explained unanimously that the accesses to personal data was gained not through holes in the security programmes but through phishing. This means that users are asked to divulge secret data, for example, through fraudulent emails.).

I'd say that "cracking" is applicable if an encrypted password is deciphered, a hash reversed, or a password brute-forced by attempting to log into a given account again and again with different passwords until the correct one is determined. But if a password is phished, i.e. divulged in plain text by a user, I wouldn't call that "cracked".

Semantics, perhaps, but I was a bit annoyed at the use of that word in that context, and I'd call that poor journalism.

(Especially that I don't think that anybody would say that the usernames were "cracked", even though those were also obtained in the same way as the passwords -- and in some cases, a username can be nearly as secret as a password.)

Threaded | Top-Level Comments Only

Date: Friday, 9 October 2009 07:15 (UTC)
slowfox: Slowfox' default icon (Default)
From: [personal profile] slowfox
Agreed; I was all on high alert when the headlines were about passwords being 'cracked', but when it transpires that they were phished, well that's something else altogether.

The passwords weren't cracked - they're weren't algorithmically deducted by brute force or through rainbow tables or whatever. Instead the users were duped into handing the passwords over.
Threaded | Top-Level Comments Only

Profile

pne: A picture of a plush toy, halfway between a duck and a platypus, with a green body and a yellow bill and feet. (Default)
Philip Newton

June 2015

S M T W T F S
 12 3456
78910111213
14151617181920
2122232425 2627
282930    

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Friday, 23 January 2026 16:30
Powered by Dreamwidth Studios