0wned.

Was it "orange"?

C'mon..I have work to do..Now who's gonna spend time in finding the way how he did it..Damn! You just ruined my working day..

I appreciate the guy with ethics.. :)

Don't be silly, do you think Jeff is stupid?

It was of course 0r4n93.

How did this person discover your password? My guess is you inadvertently typed your password into a Stack-Overflow field while thinking focus was on another window. The perp then spotted the random word in an SO post, and guessed that it must be a password.

I'm going to guess he got your password the same way Anonymous got Sarah Palin's yahoo account password: Broken secret question system.

I would have to guess that it was a cross-site attack (XSS), you mentioned it in a particular blog post as well as several times when talking about particular vulnerabilities that you should pay attention to. Personally I'm partial to picking randomly generated passwords from "pwgen", writing them down together with all my old passwords on a note which I keep somewhere safe. It's suprising though, how quickly you can memorize a number of random alphanumerics.

http://www.codinghorror.com/blog/archives/001171.html

I suppose it was contained in a configfile which you published somewhere.
Or you used the same password on another website which is controlled by the attacker.

good thing i don't use OpenID for anything else than Stack Overflow...

The most likely cause was that you used it on his site and he is logging passwords or saving them un-hashed.

but will you punish him? :)

Lemme guess...

He created a dummy stackoverflow site and phished you into entering your password into that.

My first thought was the same as Malte's - while orange is a good guess, that would fall under the "dictionary" category that Jeff is denying.

Wait a minute, I think it might be an exploit in the "Create new User" page.

Mainly because I went to register an account there and it gave me a 404 error when I clicked "Create new User".

the password was orange! Mainly because my captcha is "orange"!!!!! Its a sign you see.

My lucky guess would be "Rockhardawesome".

Jeff! There is no end to adequate and convenient password management programs on every platform! You should use one (and use long random passwords), or use the technique that you once proffered on a Stack Overflow Podcast:

any_hash(url + your_easy_to_remember_password);

Of course in your case both the url and password are obvious (evidently), so you would have to add one more piece of information, or hash the hash, or do anything else that could be reproducible.

Jeesh, it's like you're a movie supervillain or something.

random guess: jeff@wood

I think it was thequickbrownfoxjumpsoverthelazydog as seen here: http://www.codinghorror.com/blog/archives/000949.html

Will he get the hacker badge?

danimajo had my guess. J3ff@wood or variants thereof.

It must be orange or WOWrocks?

I guess "horrorCoding"

guiterhero

My guess is that the password was Wumpus related.

My guess - it was pass phrase about convenience of OpenID, used in one of the posts.

orange1!!!!

lol

crosssitescripting,
you read a blog of him while beeing logged in using openid
is this technically possible? :)

... wanders off to look for new 'hacker badges' ...

He had your password before your openID provider - which leads me to believe you typed your password somewhere that wasn't secure. I don't think you would have been duped by an XSS. I'm going to go with bad input sanitation. Javascript was inserted into a comment on an answer you wrote, and when you viewed your user page, he received your password.

Can I recommend LastPass:

https://lastpass.com/technology.php

Free, secure, machine and platform independent.

I'm gonna guess XSRF (somehow)

I bet you wrote it on a post-it note near your computer and your wife saw it! She totally stole your password! SHE IS RIGHT BEHIND YOU!

(OK, it was worth a shot.)

Just some guesses:
- NoWayInHell
- IHeartBunnies!
- this is my password
- Password1!
- deliciously-salty-

or his e-mail address ...

@danimajo, lol thats funny

@jeff atwood, that sucks.. but i understand what you mean. Some of my accounts online have very weak passwords, but as you have mentioned on podcast, who cares about hammocks.com ?? also, im just a lowly internet troll whereas you run a pretty successful online community, that might make a difference.

o yea, and as far as the password, orange +1

With SuperGenPass nobody has an excuse for lame passwords on any web account.

http://supergenpass.com/

Use it!

I would guess HenryBurton from the post <a href="http://www.codinghorror.com/blog/archives/001242.html">http://www.codinghorror.com/blog/archives/001242.html</a>

I've seen the movie War Games way too many times :)

Perhaps you comment on one of his blogs or use one of his services where you login and he knew a) you were Jeff Atwood and b) stores passwords as plaintext in his system rather than hashing them. Failing that, maybe you wrote something on twitter or something that gave him an idea. Anyway, you should use autogenerated passwords.

Also, one thing I love about this is that it shows OpenID for what it is, a bad idea and gaping security hole. You said yourself that you use a password you don't care about to login to Stackoverflow. But the problem is, if you have several different passwords, an attacker needs to multiple attack vectors to totally take over your "online identity" rather than just your open id account that not only is the same password but the same username. As well, given that there are not that many Open ID providers, you don't even have to know the particular provider (just try them all).

5t4ck0v3rfl0w

guys, a hint:
http://www.google.com/search?q=site%3Awww.codinghorror.com+password

the most often used keyboard shortcut?
ctrlcv

thequickOrangefoxjumpedoverthelazydog

: )

I know nothing about security or hacking a site, but smart ass I've got covered pretty well. LOL

I don't like OpenID and was disappointed that SO used it. Why not just stick to ordinary passwords, enforce complexity if you have to. OpenID is just more complexity when means more ways to fail.

It must have been very tempting to play a joke, at least. I'd have had a hard time not asking, as Jeff Atwood, "How is babby formed?????"

Good for you, anonymous guy. Talk about self-restraint!

The dictionary he used was all the words of this blog.

And the password might be in http://www.softexia.com/news.php?readmore=4219

5t4ck0v3rfl0w +1

(today I heard it spoken! I mean, orange!)
(funny how, when you fail to enter the word,
you can't have it spoken again. Kafka was here)

I'm curious - in what post did Jeff's OpenID choice get disclosed? It happened "a few days ago" but I haven't found it yet. Or maybe Jeff did some editing I didn't notice.

The most likely method I can think of is that you are a user of one of his/her websites and used the same password on both that site and your openid site.

123456

@Adam V. it was on the Stack Overflow blog: http://blog.stackoverflow.com/2009/04/googles-openids-are-unique-per-domain/

bahahahahaha

... cross site request attack on one of the sites you log in to? Perhaps the cookie he got also contained the id.

He probably make you log into his page using your openid acount and used some xss trickery to get your password.

Hm, I've re-read the mail.
"The only reason I had the password is because your password is totally inadequate for someone running a site like StackOverflow"

This doesn't seem to indicate XSS, or getting the password from another site, or Jeff mistakenly typing it anywhere. It seems more likely that the password was a fairly easy guess for anyone paying careful attention to Jeff's considerable web presence.

Which still doesn't really answer the question...

OpenID: http://blog.stackoverflow.com/2009/04/googles-openids-are-unique-per-domain/
Password: http://www.codinghorror.com/blog/archives/001056.html

I didn't have time to read all the comments, so sorry if someone else addressed this.

I would argue that this password "typically for low-value logins like blog comments and so forth" is not "low value." If someone did have a grudge and could start impersonating you in the comments on other blogs, that could seriously damage your reputation before you were able to start cleaning it up. Reputation is a rather "high-value" item, I think.

Was it something to do with this OAuth Security Vulnerabilty? http://oauth.net/advisories/2009-1

I'm not sure if he could get the victim (you) to follow the malicious link and validate his token though.

The dictionary could have been any word or phrase scrapped from the blog transcript, twitter... or any where elses Jeff has let loose.

I would guess you used the same password on another site, and the attacker was able to retrieve it from there.

Yes, Jeff should have had a higher-security password for StackOverflow. On the other hand, priorities can change when you're not thinking about them.

I had (and have) an account with Barnes & Noble, which I had a low-security password for. Then they changed things so they stored credit card data online, for my convenience. After a while, I realized that I had a low-security password on an account with credit card data, so anybody who knew (or could guess) my throwaway password could order books. It's better now.

(Not that my low-security passwords are actually easy, but they get used in lots of places, and have been emailed in plaintext.)

@Stephen

Blog comments aren't exactly a poster child for password security.

On most blogs, you can impersonate anyone you want. If you make it look more legitimate, it's still not non-repudiable.

Take this comment as an example. I could've supplied my username as you, and if you'd supplied a URL, I could have used that too, and then all evidence available to the public might point back at your site, but the content I'd written here would be mine, and could tarnish your silvery reputation.

(not) Stephen

"BadMotherfucker"

Pardon my french, but it's on Jeff's leatherman I think(I read the keychain post yesterday in relation to his wallet post)

WhoringCoder?

Jeff:

probably time to go back and listen to that podcast/conversation you had with Scott Hanselman in which he was horrified by the security (or lack thereof) of your site. I am sure this is only the beginning of such situations.

Hah, it's not as simple as "Fgpyyih804423", is it?

Wow, IHeartBunnies!, nice.

Very interest email I should say. This guy whoever it is a nice guy. I bet he should be rewared for his honesty. I am not s ure orange is the password and very easy to guess and very open. I geuss the password might have been your kids'name or date of birth or your wife's name or birthday? But then again it may not be true I suppose. I suppose this was just some random guess and it worked. Was it like "SQL injection" or "buffer overruns", (taking hint from this post. http://www.codinghorror.com/blog/archives/001167.html)

I am really eager to know this person and how he logged in as you. Will we know the name of this person too?

Did you leet-speakify your password and think that would keep someone from guessing it?

Hopefully it wasn't something as stupid as using your wife, or sons name (possibly backwards). I see that far too much where I work.

I want to know, too. Did he get the hacker badge?

I vote that he should get it. He did you a service, and handled it ethically.

He didn't guess your password because it was "dictionary-like." He has access to a site -- either legitimately or illegitimately -- where your "blog password" was logged or stored in plain-text format.

Security tips to avoid this: Use a different password for every site that you log in to. Either store the passwords electronically or have some mechanism to vary them. Either way is somewhat insecure, but I prefer the first.

Better get ride of OpenId all together. I hate that crappy system, get yourself a loging system already.

Was it StackOverflow?

My guess is that it is a slightly changed version of the url/name of the OpenID provider that Jeff uses.

I'm glad I use an OpenID provider (Vidoop) that doesn't use passwords.

P/W guess: h0m1nah0m1na, fakepl@st1cr0ck, cliffsofdover?

I think it takes a big man to reveal his imperfections and missteps.

The second I heard Jeff say his OpenID account, I knew it was a matter of time until his account was hacked into. I just didn't realize it would be so soon.

Not only does this guy deserve a hacker badge, he deserves your child. You owe him BIG time for the lack of a brutal exploitation.

He alerted you in good faith of an issue on your site, and you call him a dummy. Very nice.

name of your son?

Well, yesterday you twittered something about a security hole in Stackoverflow and Full Rock Band 2 Wii setup. So I'll go out on a limb and guess that it's got something to do with Rock Band 2 on the Wii. Perhaps the name you go by when you're playing RB2 online?

I'm guessing the openID provider you utilize has no ip/authorization attempt throttling and your secret friend merely brutalized their server until he found your awesometastic password.

I will say that you got pretty big ones, Jeff. It takes a big guy to admit that his account has been compromised and that it is partially his fault. Kudos.

I look forward to finding out the rest of the story tomorrow [after the hole is sealed up, I assume].

This is one of the possible disadvantages of OpenID, when you happen to cross paths with a hacker, or the negligence of someone you trust.

You were lucky that the guy found the issue by mistake, if it would have been intentional, this would be an apologetic posting instead.

"WhatAreYouLookin'At?" or "Fgpyyih804423"?

@phreakre

It doesn't sound like it was a brute force dictionary attack on the OpenID server. The e-mailer seems to imply that he discovered a possible password *first* and then only after Jeff's OpenID was revealed he decided to try it, and that single attempt succeeded.

I'm going to guess this person is the admin of a site that stores passwords in clear text where you are registered and tried the same password you had on that site with your OpenID provider.

No that wouldn't make sense as those were from much older posts... maybe something from one of those wallets; probably Constanza wallet. Reading that script was hilarious - thanks for linking to it... I missed that episode :)

I hate to sound like a jerk, Jeff, but stuff like this is why I'm reluctant to actually take seriously the opinions expressed in your articles. Like, how many times do we have to be admonished not to have a dictionary password? At some point, doesn't a person who fails to heed this advice just not *get* security? If "dictionary attacks are for dummies", what does that make you? Heaven help us all if Stack Overflow should start taking credit card numbers one day.

I appreciate your openness, but don't really appreciate the hemming and hawing in this post. You got owned, so pick better passwords and fix your shit further if necessary.

I'm guessing the account does not automatically lock after X failed login attempts, so the hacker was free to try as often as (s)he liked.

When there are more and more users in the net, and when more and more of them try to log in as you, well, someone might get the password right.

jeff, are you trying to catch that guy ?
maybe from his ip :D

I didnt do much digging, but from the one thing did catch me eye, the openid provider was stored as a clientside cookie in plaintext, hence i can change it to some obscure provider, like my own ip address, and authenticate myself no matter whose openid i enter, will require some modifying of (http://stackoverflow.com/Content/Js/third-party/openid-jquery.js) that will get me logged in, but no idea how he got ur password from that? am i close :)

It is &#9679;&#9679;&#9679;&#9679;&#9679;&#9679;&#9679;&#9679;&#9679;&#9679;&#9679;&#9679;. You posted it on Twitter: http://twitter.com/codinghorror/status/1229564771

Lol, I also vote for 'orange'. You totally have to give this guy the Hacker badge, though. I would be grateful to him for finding the hole, trying it out but not doing anything malicious (so it seems), and then letting you know--very cool.

surely someone didn't like this http://www.codinghorror.com/blog/images/a-bunch-of-clowns.jpg

Your screen shot from the OpenID post shows a hidden password of 12 characters. CodingHorror = 12

I figured it out! After you optimized your wallet, the hacker got your old wallet which contained a slip of paper with all your password. The hacker was either your garbage man or a nosy neighbor. Case closed.

While scanning through these comments, wondering "which answer is the correct one?" and "I wonder if Jeff commented to acknowledge one as the best answer" I couldn't help but think...

This question should have been posted on StackOverflow instead of on your blog. :-)

*RRING*
"Hello, I'm the administrator of StackOverflow, we're doing some routine security checks and your account came up as a possible risk. We need you to verify your password."

It wasn't until fifteen minutes later that he realized that he WAS the administrator of StackOverflow.

jumpedtheshark ?

Anyone as "high profile" as Jeff is has no low-value passwords! The taller you stand the bigger target you become. Just ask Gov. Palin who was fine until she ran for VP then they came out of the woodwork after her.

This was a painless lesson learned, Jeff. Beware the next one. :)

1. hacker is an admin of a site that requires a username / password.
2. hacker reviews login events for failed events with usernames that suspiciously like a password (p@ssw0rd or justpaulp@ssw0rd).
3. hacker looks for a subsequent correct login from the same ip (username: justpaul)
4. hacker surmises justpaul's password is p@ssw0rd and that justpaul was in a hurry and didn't see he was entering his password in the username field before he hit enter.
5. justpaul uses the same password for lower-security-level login sites as he does his openid account (which hacker already established how he put user together with openid account.)

An educated guess would say that the authentication took place via an HTTP GET request (instead of a POST) and then you ended up clicking on a link on Stack Overflow that took you to his site. He looks at his web logs, sees an odd referer [sic] in there, and viola, there's your password.

You filled in a form, and typed your passwd in the name field instead.

http://www.codinghorror.com/blog/archives/000342.html
"I've adopted passphrases across the board on all the systems I use."

And maybe he just found out one of those passphrases?

Wumpus?

Hmmm...

Was that 'anonymous email' really so anonymous? It would seem to me that this email might well have been fabricated by Mr Jeff Atwood himself.

how do you think this person discovered my password?

By being Jeff Atwood.

He:
a) retrieved the password from memory
b) typed it in.

I think the it was probably the fault of SSL:

http://news.zdnet.com/2100-9595_22-294755.html

When travelling it's pretty common to find PCs with Hotmail or Gmail sessions already open. In these cases I always act as the hacker, send and e-mail and logout. At home it's ok to forget logging out because the computer is personal, but not in an internet cafe. Even for IT people it's not so rare to forget doing that.

$t@ck0v3rfl0w

Simple: OpenID sucks for security

It seems that Jeff's openid provider lets you try as many logins as you want. There is no rate limiting, allowing dictionary attacks easily.

I hope it's not just that the attacker hammered the OpenID server. That would be really boring. The author of the e-mail makes it sound like the method of obtaining the password was more clever than that.

Was it gaben?

never used openid, never will.

from you i would expect orange or WhatAreYouLookin'at!

I wrote a script last year to generate a password card:

http://scriptmaven.blogspot.com/

You can use the same constraint rules as Sudoku to generate a 9 x 9 grid of secure passwords. Each row, column or 3x3 grid has the same combination form of letters, numbers, and symbol, in different orders of course. 9 secure password strings end up giving you 27 different passwords, or more if you play with the ordering. I print two of these side by side to get 54 passwords.

It can't be orange, Jeff uses pass-phrases not passwords.

That's why I have myopenid call me whenever It needs to verify a login attempt. The chances you have my password and my phone are a lot slimmer then either one alone.

francis, thanks for the heads up

@mannu -

I think you're right, its got to be thequickbrownfoxjumpsoverthelazydog, based on the post you linked. That post has been getting attention again on Hacker News this weekend, which fits the timeline.

Good catch.

I bet it was wumpus.

Is it like this ???

http://thedailywtf.com/Articles/So-You-Hacked-Our-Site!.aspx

Since I am a dad as well, I would get rockhardawesome (then name of your son's twitter account).

It's "dictionary"

He asked you for it.

I'm guessing he did a google search that found a SHA1 hashing of your password somewhere on the net, then ran another search of that hash to find a matching plaintext.

More hindsight wisdom coming our way - tomorrow. Excellent.

Magic of a good password: at least 10 chars in length, some uppercase, some numbers, some lowercase, some special characters.

Magic of a secure workstation: server accepts admin-level logins only from pre-defined IPs.

Magic of not making these mistakes: experience.

My guess is cross site request forgery (CSRF or XSRF). He had one piece of information (your open ID) and was able to trick the open ID site into giving up your password by providing another piece of information that he could easily deduce.

This is the big reason that I absolutely refuse to have an openid. Period. What good is a username / password if the same set can unlock every site I'm a part of?

So, what openid provider is this unsafe provider?? And what openid provider is not unsafe? Will we get to know?? I certainly would...

Fgpyyih804423

password was codinghorror

Since Jeff recently had a new addition to the family, maybe he went with the "War Games" approach, though I doubt that :)

If your password was indeed codinghorror, close this site immediately and stop blogging.

Did he or she find your password by brute-force guessing on another website you use that doesn't threshold logins?

orangeslice

OK, this is a TRULY random guess, is it t;AoVD061MBWm=NX6V+u?

hm, maybe password was... bufferoverflow? <g>

stackunderflow?

vistarocks?

diggthis#$@%!

Teasers suck.

2nd for fakeplasticrock

I'm going to guess "Joshua" or some other trivia from the movie War Games, since on your SO user profile page you have a screenshot from the movie (and "Joshua" was the backdoor password to WOPR).

I suppose that the "good-will-hacker" has access to the passwords of another side where you are registered as an user...

3ee70r4Ng323 (leetorange23 with leet speek) _is_, and should always be, considered a dictionary password. Changing a letter for a number is not secure, case and 2 numbers at beginning or end is already checked when brute-forcing hashes.

Take a dictionary, whatever the language (hell, I still have the 300Mb dictionary from back when I was working in security, containing japanese and russian romanization of words and common websites URLs), and whatever the case, leet speek and/or 3 numbers at beginning/end, it's still part of the dictionary. Period.

Disclaimer: I'm not that guy.

I don't get it.

What's the point to having multiple OpenIDs anyway? I thought the point was that you don't need a different username and password for every site.

Now you need a super-secret "OpenID" for "important" sites and a different OpenID that's only a bit secret for sites where it wouldn't matter if everyone knew your password anyway?

Even if the hacker just guessed the password, it all seems kinda pointless.

Also, how many times do people have to be told that you log in as administrator when you're administering and log in as a regular user when doing regular user stuff, which implies that a person who both uses and administers a site should have, say, two freaking accounts?

How hard would that be, anyway? Really? Can't be done?

And for a completely insane and ridiculous suggestion that no sensible person would ever consider, perhaps even use some advanced high-tech security like public key based client authentication? Fine, your regular users won't want to deal with that, but presumably the guys running the site aren't your typical vegetables, and could cope. Then the site admin accounts would be even more secure than they are now.

I would guess that, on another website that either this person moderates or has access to, your password is being stored as a plaintext value in their database. He followed your internet trail back to this blog, at which point all he needed was the openID provider.

I would guess that, on another website that either this person moderates or has access to, your password is being stored as a plaintext value in their database. He followed your internet trail back to this blog, at which point all he needed was the openID provider.

Was it swordfish?

Jeff, how many times did your ethical hacker fail at logging in under your name before succeeding?

My guess is wumpus as well.

'I drive a 1998 Ford Contour.'

Wow, that might be the nicest thing a stranger will ever do for you. I certainly wouldn't punish him (her?!). And it probably deserves the secret hacker badge; probably not for technical prowess, but for the true hacker ethic.

Maybe a dictionary attack that covers all the typical number substitutions for letters, i.e. 0range, or App1e.

Oh right, and all you guys that are talking about dictionary attacks look to be off the mark. The email itself says it:

> I had a possible password; today your blog post revealed the openid provider. I logged in, freaked out that it actually worked, then logged out.

He already had the password - there was no need for a dictionary attack - all he needed to know was the openid provider (probably google) and then he could log in using his google credentials, not to mention he could probably check his email, and all that other good stuff that google gives you.

Since openID passwords are encrypted, this hacker most likely picked up the hash value from IP traffic and then went to one of the sites which allow you decrypt MD5 by a little bit of brute force. Since we know that password was a dictionary word, brute force could have been quite gentle in this case.

sixtoeightweeks

It's "password"

3rd vote for Rockhardawesome

He created a GUI in visual basic and tracked your IP address.

Social engineering is the usual way - mentioned girlfriend/pet/streetname possibly?

Something to do with the following: wumpus, elizabeth, billcosby, jooky, burton, betsy, gamebasement, wise-ebusiness, boland boss, chuck snyder, lifepoint, brentwood

Or if I was able to figure out your crystaltech account ID (which could easily be social engineered), that'd open the floodgates for me.

May I just add that the concept of the "Hacker" badge (if implemented as the anonymous emailer suggested) is one of the best security "Hacks" ever. Find something of little value you can give people to get them to attempt to hack your site and admit it.

Encourage Hacking!

Passwords are flawed, they are too easily broken, but I've found the cure: I don't use passwords. Think about it - you only change your password and that's only half of your identifier when logging in!

Isntead, every 28 days I change my identity. This month I'm "Gerald Wobblebottom". Who knows who I will be next month. In fact, some days I don't know who I am until I get to work and see my name on the door.

I'll also say Rockhardawsome

the password is...

1... 2... 3... 4... 5...

Hey! That's the same combination I have on my luggage!

I know Steve Gibson and you sir are no Steve Gibson ;-)

Don't you just love SpaceBalls the movie? Only a geek could quote from that movie!!!

FYI the "1... 2... 3... 4... 5..." by TG was from spaceballs.

A possible guess: two common words with predictable punctuations replaceing letters that look similar, like @ for a, ! for i or l. I've observed this lazyness even in the security industry of all places as a simple protection against dictionary attack which they wrongly presumed was not evolving. Pretty silly, really.

Practicality, are you sure it has a 6 on the end? I thought it was 12345.

No other Spaceballs references on Star Wars day? :(

I know it was "goatse" wasn't it.

fail

is it ********** ?

Password strength is generally arbitrary unless someone can actually get their hands on your password hash... I can't think of anyone would would actually attempt a dictionary attack or a brute-force attack against a website these days, never mind the fact that few websites even allow this to take place (captcha).

For people like this guy and me, it is only natural to try to find ways to break websites... make them do things they aren't suppose to do. There is zero reason to be upset with the guy for what he did, so I am glad to see you did not rag on him in your response. I applaud him for his ethics - most people would not be so graceful.

Hey Now Jeff,

Didn't we hear this on a pod a few moons ago? Maybe Hanselminutes on a second show where he it wasn't a planned recording? I'm gonna have to go research that (maybe #135). Anyhow nice post.

Coding Horror Fan,
Catto

More interested now as to how many invalid login attempts you have had in the last day.

You guys are way off, its all in the email "but man - dictionary password! "

the password was dictionary1

My guess is : thequickbrownfoxjumpedtheshark

Jeff, you need "LoginEasy". With LoginEasy, you login EASY with strong passwords.

Ttenk
May 05, 2009 (05:00 AM GMT)

The DickensURL for this post is great:

The bearings of this observation lays in the application on it.

http://dickensurl.com/94f7/The_bearings_of_this_observation_lays_in_the_application_on_it

is it Stackoverfault ???

My guess is, you have ur Forgot Password function set which allows passwords to be sent to your mail id in plain-text format!!!! Thats the way he got it...

Orange you glad it wasn't 'coding' or 'horror'.

+1 for WhatAreYouLookin'At?

I think automated password-guesser could do the work

Why is it that someone guessing Jeff's password somehow reflects on security of OpenID?

@Goran, Your "orange" comment made me laugh.

"Why is it that someone guessing Jeff's password somehow reflects on security of OpenID?"

Not necessarily a comment on OpenID in general, but it would certainly be possible for an OpenID ~provider~ to not throttle connection attempts. If this was the case it would take a trivial amount of time to exhaust some pretty large password dictionaries.

I found the details of Ip-Address on the site named http://www.ip-details.com/.All the informations very fast to access.

I found the details of Ip-Address on the site named http://www.ip-details.com All the informations very fast to access.

passwords are a thing of a past..
we use finger print ids now...
soon to be available for websites...

Soon to be available? The crappy Biometric software I had on a toshiba tecra 3 or 4 years ago integrated quite nicely with firefox through a plugin.

That said, I still use passwords!

It wasn't 5tack0v3rf10w was it?

Jeff, what are your views on biometrics?

My guess? "rockhardawesome"

it happened like the hunter2 story!

http://www.bash.org/?244321

"Not necessarily a comment on OpenID in general, but it would certainly be possible for an OpenID ~provider~ to not throttle connection attempts. If this was the case it would take a trivial amount of time to exhaust some pretty large password dictionaries."

With some argument over the values of "trivial" and "pretty large", of course. You're also dependent on your browser or keyboard driver not keylogging all data passed into it and streaming it out. Isn't there validity to "We have to trust someone, and OpenID's better than Random Site 202811"?

Maybe Cross-site scripting (XSS) or just brute force.

Was it this?

"Open sesame!!"

(with variations on the number of Exclamation marks)

was it "X74@&z3!" ?
from http://www.codinghorror.com/blog/archives/000360.html

orange77

I guess the first name of your kid or it's birth date :-)

I think the password was ffej

rainbow tables

I say "deliciously-salty-password"

I bet on a referrer attack that carry the sessionID from your session to the hacker's site over a querystring parameter...

I guess he got his account stolen and now he can't post anymore.

Tomorrow is here.. waiting !

He totally wussed out ...

Then again if I had a couple thousand regular readers waiting to see how I screwed up I might also.

;)

I'm sure Jeff doesn't know how it happened and is asking for the community for the right answer ;-)

He won't be able to post the answer maybe if anymous has taken control of this blog too :) (openID curse)

"He totally wussed out ..."

$ ping jeff.attwood -c 1
PING jeff.attwood (www.codinghorror.com) 56(84) bytes of data.

--- www.codinghorror.com ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

$

orangehorror

Two days, now, and Jeff didn`t answered any comments... it`s not a good sign....

If Jeff's accounts have been completely taken over by the attacker, could the attacker please write today's column? Thank you.

Seriously, I'll bet he's working to patch the security hole before he tells the world about it. Like all programming tasks, it has taken longer than estimated.

-Andy

Old school hacking. Nice. Pity the law has made what this person did a criminal act. I always thought the hackers who came and did no real damage except to pride and left a message on how to undo anything they left [embarrassing name change, etc.] and how prevent future penetrations did web site utilizing the hack were doing (and in those days bulletin board ops/ IT managers) a big security favor.

@Fascist Nation: Yea, it's illegal to do someone else's job for them, or help them do their job. I think thats stupid also. It should only be illegal if you do something bad, like spamming, etc.

When is this cock tease going to tell us what the password was? Why would the hacker say it was a dictionary password if it was not one?

I accidentally discovered your username and password while I was being bored. The good news is I changed it to something very complex to protect your interests. but the bad news is I cant remember what it was.

My openid account requires authentication using x509 in addition to a username and password. Passwords alone are weak!

@Fascist Nation: If a stranger breaks into your house, but doesn't take anything, do you call the police or do you thank them for doing you a favor?

Just a shot in the dark... but was it a stack overflow that caused the problem? :)

@Frank: If a stranger comes to your door, and turns your doorknob, and it's unlocked, do you call the police?

@Kevin H: Probably. I sure as heck wouldn't thank him, though.

False Comparison.

Doorknobs are common, well-understood technology. They're lowest common denominator. Telling a stranger that he isn't using his doorknob right would be insulting and pointless in any circumstance.

If someone pulled some harmless stunt to illustrate that a very expensive home security system had been installed improperly, I might be inclined to thank him. This way I could get the people who installed it to fix it, and the money I spent on the system would no longer be wasted.

This is entirely theoretical, however, since I do not own such a system.

If you hide your key under the doormat, and someone sits in your bush watching you one day; then he comes around the next evening and opens up your locked door with it and leaves you a note. Do you thank him?

I'd move the key, but I'd keep a baseball bat handy, and he'd get something that wasn't thanks if I ever saw him around.

Point being that people who have secure things expect them to be respected, even if their security is lousy. It's not acceptable to break their security just because you can.

"Seriously, I'll bet he's working to patch the security hole before he tells the world about it. Like all programming tasks, it has taken longer than estimated."

We know how long it will take - 6 to 8 weeks. :p

I believe the attacker built a pit along your daily jogging route. Then filled it with hundreds of sporks and pez dispensers. He then tactically placed a phony MacBook in the corner of the pit that was set to StackOverflow.com and would loudly announce every key that was pressed.

He then covered the pit with fig tree leaves and sticks. To grab your attention he placed an apple on a tree branch right above the pit.

There you were jogging when you spotted the apple. You walked over and WHAM! Set off the trap and into the pit you went. Frightened you screamed for help but after noticing the MacBook in the corner you thought you might be able to call to arms the mighty horde of StackOverflow members to assist in your rescue.

You plucked out whatever sporks and pez dispensers were jammed into your arms and made your way to the MacBook. To your surprise the login page to StackOverflow was already open. Without noticing that the computer was announcing each key pressed you entered your username and password and were able to send a distress call to your friends.

In the meantime mr "hacker" was a few yards away listening in on your password and logging into your account.

Even naive worst-case passphrases like "this is my password" aren't all that hackable, at least when compared to their single word equivalents, eg, "password".

Easier on the user, harder for hackers: that's a total no-brainer. I've adopted passphrases across the board on all the systems I use.

is it "this is my password" ?

This blog is just ridiculous, pure fun, no knowledge gained.

Codehorror the Movie, next? Jeff vs. Jason?

Fgpyyih804423

Another possibility is that this is a hoax to see how many visitors Jeff the Man can get. Remember, the thickness of butter on his toast depends on Unique Visitors to this site (and maybe even stackunderflow).

Future posts will most likely be a crowdpleaser mix of tech stuff and gossip such as this nonsense with password. Then he will come out with Advice on Secure Passwords, speak at the conference how he got hacked (and lived to tell about it!), t-shirts, mugs, the whole shebang.

iPhone content coming next.

Let me test a quick theory - was the password "glider" or some variation thereof (the name of the hacker symbol)?

s/he must have gotten the password using a forgot password functionality that sent the real password in plain text, 37 Signals style!

"Seriously, I'll bet he's working to patch the security hole before he tells the world about it. Like all programming tasks, it has taken longer than estimated."

I would sincerely hope he had already fixed the problem before anouncing to the world that a security hole existed.

> If someone pulled some harmless stunt to illustrate that a very expensive home security system had been installed improperly, I might be inclined to thank him. ... This is entirely theoretical, however, since I do not own such a system.

Party @ AndyL's house!

It has to be this XSS vulnerability on Stackoverflow that is the source:

http://stackoverflow.uservoice.com/pages/1722-general/suggestions/165947-scripts-are-executed-when-editing-question

I still can't see this sentence fulfilled:

"I'll reveal that tomorrow"

today is today.. and tomorrow will soon be today again.. .. and so on.. .. there won't be a tomorrow.. ..
btw.. the pass was.. "2m0rr0w"

I'll bet it was "swordfish"

the password was the url to this post which he had predicted all along.

The dictionary was built from phrases used on this blog.

Oh, and the brute-forcing algorithm was built to keep the words in something approaching a logical English grammatical order, making the passphrase significantly less secure than

[dictionary size]^[passphrase word count]

@BugFree -- by Jove! I think you're right!

My guess would be that you have forgotten that you've become somewhat of a web-celeb Jeff. In much the same way that Sarah Palin made the mistake of thinking that the place she met her sweetheart was private, I would bet there's some aspect of you that turned out to be not as private as you thought. The traditional tactic of "think of something nobody else knows" doesn't really work when privacy on the web is effectively dead.

password: boat-programming

or

password: ender

wow...look at the traffic stats since Jeff posted this entry. Interesting......

The thing is that usually one little hole in an unimportant account leads to hints and holes regarding other accounts. You know - you save a tmp file you needed for the other account, used the email with some interesting info...
Once you have something that needs to be secured - all your online presence should be secured or totally separated. \-:

(obviously i don't follow that myself but I have nothing of importance)

He is probably waiting for the podcast to talk about it now.

common. Where is the answer ?

stop those cliffhanger stuff

I make another suggestion : he forgot to lock its computer in public when he went tI make another suggestion : he forgot to lock its computer in public when he went to the rest room.o the rest room.

it's far past 'tomorrow'..

"Tomorrow never comes"
(Hammerfall, Remember Yesterday)

Someone work out Jeff's password and post a comment as him so we can pretend he's still alive :P

It wasn't Jeff that posted this blog entry

jesus christ, he explained it all in the email,

fucking retarded comments.

This is actually a social experiment Jeff is performing on us so he could choose the most secure password.

His page traffic for the days since this post have tripled. He's milking it, and will retire to the Bahamas on his DoubleClick revenue ...;-)

My guess:

The hacker received an exception page from StackOverflow.com. The site was set to customErrors="Off" so the details of the exception were dumped to his browser. Somewhere in there, a password was hardcoded. Possibly in a DB connection string. The password was weak and relevant to Jeff (his wife's name or something), so the hacker made the assumption that it may also be used for other accounts (ie OpenID).

Is it social engineering attack?

Is it hacking at all?

Jeff, where are you?

I guess it's 'stackoverflow'

"Tomorrow" for large values of "tomorrow"?

Perhaps the vulnerability affects the OpenID provider and he wants to give them time to patch the hole before publishing.

I have preached this over and over. OpenID is a flawed concept. I use it only for StackOverflow and then under protest. Please make OpenID go away.

@Mark, for completeness, please re-preach so that I (who does not usually follow the thousands of comments on this blog) may understand your opposition to OpenID.

ah, pw-wise - I'll go for HenryBurton.

@(not) Stephen

Thanks, I didn't think of it that way. Learn something new everyday.

IHeartBunnies!

nice. ive had my fair share of accidental break ins!XD

Once I see stackoverflow bug that I was logged-in as ANOTHER I AM. I have some good reputation, but when I use OPEN ID and login, stackoverflow says that it doesn't has my account already.. After a or later, I couldn't see the issue.

Sayimg about Hacking Hotmail Passwords, I'm so glad I found this site <a href="http://www.activehackers.com/">hacking hotmail passwords</a> from ActiveHackers.com ! I first suspected my husband was cheating 3 years ago, in fact even my friends thought he was, but I was not willing to confront him in case I was wrong. You from <a href="http://www.activehackers.com/">http://www.activehackers.com/</a> helped me find the proof I needed and, in fact, I've found out even more startling news about him lying to the person he has been having an affair with! Where does it end? I should have never married him. Well, at least my 8 year mistake is now over and I'm moving on. Thank you <a href="http://www.activehackers.com/how-to-hack-into-hotmail-accounts-password-for-100.php">hacking hotmail passwords</a><br><br>
To <a href="http://www.rayahari.com/hack-Facebook-passwords.php">hack Facebook Passwords</a>, i recommend this site RayaHari.com and this site MilanoRosa.com to <a href="http://www.milanorosa.com/how-to-hack-into-yahoo-hack-someones-yahoo.php">hack into Yahoo Passwords and MySpace account</a><br><br>
<a href="http://www.cheapcrack.net">how do i hack into someone yahoo for free</a> - <a href="http://www.beahacker.info">program to hack yahoo accounts</a>
-- Emily W, Salem, Oregon

<a href="http://www.activehackers.com/">hacking hotmail passwords</a>? Dont worry, this rayahari.com does not ask you any information about you. They ask you only to provide nick name when you fill out the request form. They were fast and amazing and you got the information <a href="http://www.activehackers.com/how-to-hack-into-hotmail-accounts-password-for-100.php">hacking passwords hotmail</a> that was needed. Thank so much !<br><br>

<a href="http://www.activehackers.com/">http://www.activehackers.com/</a><br><br>

<a href="http://www.rayahari.com/hack-Facebook-passwords.php">hack into facebook account </a> - <a href="http://www.milanorosa.com/how-to-hack-into-yahoo-hack-someones-yahoo.php">hack into yahoo</a><br><br><a href="http://www.cheapcrack.net/">where can i find a program to hack yahoo</a> - <a href="http://www.beahacker.info/">best free way to hack hotmail password</a><br><br>

Paula Robinson, Lincoln<br><br>
England

<a href="http://www.activehackers.com/">hacking hotmail passwords</a>? I am 53 years old and thanks to you <a href="http://www.activehackers.com/">http://www.activehackers.com/</a> I've gained evidence that my wife is having an affair. Everyone has taken my side and I've received great support from my kids and friends. I actually feel quite relieved. I'm a good man and I only hope that I can find a woman who loves me for who I am and can see the good in me. Many thanks <a href="http://www.activehackers.com/how-to-hack-into-hotmail-accounts-password-for-100.php">hacking hotmail passwords</a><br><br>
<a href="http://www.rayahari.com/hack-Facebook-passwords.php">hacking someones facebook password</a> - <a href="http://www.milanorosa.com/how-to-hack-into-yahoo-hack-someones-yahoo.php">how to get into someones yahoomail accout without the password</a><br><br>
<a href="http://www.cheapcrack.net/">where can i find a program to hack yahoo</a> - <a href="http://www.beahacker.info/">best free way to hack hotmail password</a><br><br>
-- Kevin J, Rosemont, CO

BC

Damn! i think you were lucky man!

Well your solution should have been to through more Ajax at the problem and keep calling yourself experts. Thanks for posting such a great fail :)

Abercrombie & Fitch on Sale, Hoodies, Jeans, T-Shirts, Pants, Polos abercrombie and fitch abercrombie fitch abercrombie cheap abercrombie fitch Abercrombie Men Tee abercrombie womens polos Abercrombie & Fitch Men, women, and children's clothing

Tiffany Jewellery barely 2-year-old result called Iridesse is set to the more Tiffany Key Rings South Coast Plaza setting was the jeweler’s supreme tome branch stockTiffany Bracelets diamonds are about more than absolute condition, cut and beauty - they are one of our diamonds underscores.Tiffany Sets reputation as a world premier jeweler synonymous with diamonds of the finest feature,” added Bennett.

We all know what happens to women who wear the famed red lacquered sole shoes. They are instantly filled with a wicked sense of sexy self and fall hopelessly in love with its creator: the great shoe designer Christian Louboutin. Christian Louboutin’s fascination for women’s footwear began as a child growing up in Paris, where he discovered the world of high fashion and glamour in the city’s nightlife. His early passion for dancing and showgirls inspired him to incorporate elements of costume into everyday designs. This whimsical and seductive union makes for utterly unmistakable and irreplaceable designs. He passed through the iconic fashion houses of Charles Jourdan and Roger Vivier before opening his flagship boutique in Paris in 1992, marking the birth of the Christian Louboutin brand. His be-jewelled heels have become the most coveted accessory on high-profile glamour girls all over the world. "Shoes are more than just an accessory; they are an extension of a woman.
http://www.christianlouboutins.de
http://www.christianlouboutins.de/christian-louboutin-pumps-c-12.html
http://www.christianlouboutins.de/christian-louboutin-sandals-c-13.html
http://www.christianlouboutins.de/christian-louboutin-boots-c-14.html

someone sits in your bush watching you one day; then he comes around the next evening and opens up your locked door with it and leaves you a note.

Thanks for posting such a great fail :)

Thanks for your information, i have read it, very good！

Thanks for your information, i have read it, very good！

Very cool! Congrats on the pairing.