Comments on: Password Searching as a service http://www.timnash.co.uk/10/2009/password-searching-as-a-service/ The Stuff Consultant Tue, 07 May 2013 14:50:53 +0000 hourly 1 http://wordpress.org/?v=3.5.1 By: Tim Nash http://www.timnash.co.uk/10/2009/password-searching-as-a-service/comment-page-1/#comment-3121 Tim Nash Wed, 07 Oct 2009 09:44:52 +0000 http://www.timnash.co.uk/?p=405#comment-3121 but would you trust a service that just returned the data you provided?
I think for it to work and to shock people into doing something it needs to return the password or something the user didn’t give you. Though you would still need to read the list so would still be having the same problem.

Unless you simply return positive everytime and never read the list of course ;)

The issue is less with what data is returned but more by reading the data in the first place.

]]> By: Joff http://www.timnash.co.uk/10/2009/password-searching-as-a-service/comment-page-1/#comment-3120 Joff Wed, 07 Oct 2009 09:39:44 +0000 http://www.timnash.co.uk/?p=405#comment-3120 Do you need to search the passwords at all? If there’s a list of emails and passwords, then just return whether the email is in the list.

I can’t see that being on the wrong side of the law.

]]> By: Tim Nash http://www.timnash.co.uk/10/2009/password-searching-as-a-service/comment-page-1/#comment-3119 Tim Nash Wed, 07 Oct 2009 09:30:51 +0000 http://www.timnash.co.uk/?p=405#comment-3119 Problem is the service would knowing be opening and reading “stolen” passwords and there would be no way to not open and read other peoples passwords while processing the html file. So while you might have the permission of one person you don’t of the rest.

]]> By: Glen Allsopp http://www.timnash.co.uk/10/2009/password-searching-as-a-service/comment-page-1/#comment-3115 Glen Allsopp Tue, 06 Oct 2009 19:42:12 +0000 http://www.timnash.co.uk/?p=405#comment-3115 I personally think it would be a cool idea Tim, although depending on who long it takes to make, people may have recitified the situation by the time the tool comes out?

I’m pretty sure it would be legal, just put a handy T&C in there to be safe :)

- Glen

]]> By: Tim Nash http://www.timnash.co.uk/10/2009/password-searching-as-a-service/comment-page-1/#comment-3114 Tim Nash Tue, 06 Oct 2009 18:28:27 +0000 http://www.timnash.co.uk/?p=405#comment-3114 Actually doing the rounds on the web and on many websites right now are tens of thousands of passwords got in the latest phishing attempt,
http://news.bbc.co.uk/1/hi/technology/8292928.stm
It took about 2 minutes and only a smidgeon of logical thinking to find a dozen or so sites with the passwords and being indexed in part by Google.

the issue which I should have put up, is that to “find the users specific password” the app would need to open and read the page containing the passwords and extract data.

Since the data is “stolen” you would have in effect be a accessory to the theft, even linking to it is a grey area you may remember TVLinks sites problem.

]]> By: Joe Hall http://www.timnash.co.uk/10/2009/password-searching-as-a-service/comment-page-1/#comment-3113 Joe Hall Tue, 06 Oct 2009 18:21:23 +0000 http://www.timnash.co.uk/?p=405#comment-3113 I don’t think it would be illegal because it would be an opt in service with registration. But, more importantly, I don’t think it would work. Most folks that pass around hacked email/passwords don’t do it publicly. They mostly stay on their IRC channels or closed news groups. I think the big area where you might have some luck would be a few of the forums, but like I said not many divulge their data on there, just talk about it.

]]>