Philip Newton (pne) wrote,
Philip Newton

Phishing != cracking passwords

I just read a news article (in German) about the username/password lists with Hotmail, Yahoo! and Gmail users.

I was a bit disappointed to read that the passwords were referred to as having been "cracked" ("gaben ... bekannt, dass Passwörter von Privatkonten geknackt und im Internet veröffentlicht worden seien" = "... announced that passwords of individual accounts were cracked and published on the Internet") when in fact it appears that the passwords were obtained through phishing ("Hotmail, Yahoo und Gmail erklärten übereinstimmend, dass die Zugriffe auf die persönlichen Daten nicht durch Lücken in den Sicherheitsprogrammen, sondern durch Phishing zustande gekommen seien. Dabei werden Nutzer etwa mit betrügerischen E-Mails zur Preisgabe geheimer Daten gebracht." = Hotmail, Yahoo, and Gmail explained unanimously that the accesses to personal data was gained not through holes in the security programmes but through phishing. This means that users are asked to divulge secret data, for example, through fraudulent emails.).

I'd say that "cracking" is applicable if an encrypted password is deciphered, a hash reversed, or a password brute-forced by attempting to log into a given account again and again with different passwords until the correct one is determined. But if a password is phished, i.e. divulged in plain text by a user, I wouldn't call that "cracked".

Semantics, perhaps, but I was a bit annoyed at the use of that word in that context, and I'd call that poor journalism.

(Especially that I don't think that anybody would say that the usernames were "cracked", even though those were also obtained in the same way as the passwords -- and in some cases, a username can be nearly as secret as a password.)

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded