Over the last couple of weeks, I’ve seen a few examples of passwords being rejected for failing to meet the complexity rules.  For example, the current password is “secret1234” and the new password attempted is “secret1235”.  There are similar variations where people attempt to use the year and month – “password201810” and “password201811”. 

    My password manager shows that I have 516 accounts and passwords.  Trying to remember 516 passwords is impossible which is why you should use a password manager.  While a typical user might not have 516 accounts, they have quite a few and without a password manager, they try to create something memorable.  I completely understand their need to change one digit and move on -- I disagree but I understand.  Here’s the problem – let’s say I get wind of this type of pattern and the initial portion of the password is “testing” and the remaining portion is a four digit number.  Technically, it’s an eleven digit, alphanumeric, password.  In reality, it’s a four digit, numeric, password. 


    I've never really understood the purpose of Pastebin from a practical sense.  I think I get the concept, I just don't know why you'd use it.  That being said, its darker side is breach data dumping for the world to see.  

    Yesterday, I was thinking about the API and wondering if I wanted to write a script to search the pastes for client email addresses.  While digging around on the site, I checked out a few pastes.  Lots of people dumping code snippets and then I saw something.  Among the code snippets, I saw what looked to be base64.  I grabbed it, decoded it, and what I saw looked to be binary gibberish.  I thought it was going to be something clever like a message but that's just me playing too much CTF.  But then I did a Google search for "What is the purpose of Pastebin?" and I saw a search result talking about base64 encoded malware.  What!?!?  After reading the article, I was left with only a partial picture.  Perhaps the author didn't want to spell things out completely?  I don't know.  So I started working it through on my own.


    Have I mentioned that I love WordPress?  I do, as long as I’m not maintaining it.  When I’m maintaining it, I hate it.  My kneejerk reaction is to call it junk.  It’s not junk but it’s what happens when designers cut out developers.  I get it – you’re a designer, you want to move quickly and here’s this product which is easier to learn than coding.  If you want a fancy slider, you install a plugin.  If you want to embed a YouTube video, you install a plugin.  From that point of view, it’s amazing.  From my point of view, every time you bolt on a new widget, there’s a potential for an opening.  Heck, without plugins, you can still get owned which is what we’re going to explore in a moment.


    I tried writing this with fewer lines of code using a list of passwords and another attempt with IGNORECASE but neither worked or worked with 100% accuracy.  Rather than spin my wheels, I just went this route with elif.  

    We're recursively searching inside of Word docx files for either:  password, Password, or PASSWORD

    When we get a match, we print the document location and the line containing our string match. 

    Storing passwords in a Word document is a bad practice -- this script shows you why it's a bad practice and why you should use a password manager.

    #!/usr/bin/python
    import os
    import re
    import docx
    document_list = []
    for path, subdirs, files in os.walk(r"./"):
        for name in files:
            if os.path.splitext(os.path.join(path, name))[1] == ".docx":
                document_list.append(os.path.join(path, name))
    for document_path in document_list:
        document = docx.Document(document_path)
        for paragraph in document.paragraphs:
            if "password" in paragraph.text:
                print(document_path+':'+paragraph.text)
            elif "Password" in paragraph.text:
                print(document_path+':'+paragraph.text)
            elif "PASSWORD" in paragraph.text:
                print(document_path+':'+paragraph.text)


    I ran into an issue while installing Google Authenticator on Ubuntu 18 and although the solution is simple, it's given me an opportunity to discuss three items.

    First, the issue:

    You attempt to install Google Authenticator using the following:

    sudo apt install libpam-google-authenticator

    And you're presented with the following error:

    E: Unable to locate package libpam-google-authenticator


    A common practice I see from time to time that makes me cringe -- documents titled "passwords" which contains passwords.  It's fairly simple to hunt those down though.  Files containing sensitive data such as social security numbers and credit card numbers are a harder due to not so obvious filenames and the numeric formatting possibilities.  I was originally intending to go with two different scripts but ended up combing them.

    This test script searches recursively for .txt files, hunts for both social security numbers and credit card numbers, with dashed and non-dashed variations, and then it spits out the number with the corresponding filename and path.    

    #!/usr/bin/python3
    import re
    import sys
    import glob
    folder_path = './'
    for filename in glob.iglob(folder_path + '**/*.txt', recursive=True):
        file = open(filename, 'r',errors='ignore')
        for line in file:
            if re.match(r'\b(?:\d[ -]*?){13,16}\b', line):
                sys.stdout.write(filename+':'+line)
            elif re.match(r'^\d{3}-?\d{2}-?\d{4}$|^XXX-XX-XXXX$', line):
                sys.stdout.write(filename+':'+line)


    © 2020 sevenlayers.com