When I was in college ~2011, I had a neat little software installed that allowed me to sniff wifi networks. Turns out, the school did not locally encrypt your password before it was sent to the server. Meaning, Students could have had super complicated passwords. And it wouldn’t matter. Because I got to see it in plain-text. The school allowed you to link a secondary email since they correctly assumed people might not check the school email as much as their personal. Which basically everyone did. And lots of people also use the same password to everything. You can see where I’m going with this…
Facebook did hash and salt their passwords, but I managed to crack a few using a dictionary attack on a pretty shitty laptop. Though if I remember correctly, if you were automatically logged in due to session cache or via cookies, I could not find your password because that handshake had nothing to do with your password. Maybe I could have used the data some other way, but I didn’t know how.
When I was in college ~2011, I had a neat little software installed that allowed me to sniff wifi networks. Turns out, the school did not locally encrypt your password before it was sent to the server. Meaning, Students could have had super complicated passwords. And it wouldn’t matter. Because I got to see it in plain-text. The school allowed you to link a secondary email since they correctly assumed people might not check the school email as much as their personal. Which basically everyone did. And lots of people also use the same password to everything. You can see where I’m going with this…
Facebook did hash and salt their passwords, but I managed to crack a few using a dictionary attack on a pretty shitty laptop. Though if I remember correctly, if you were automatically logged in due to session cache or via cookies, I could not find your password because that handshake had nothing to do with your password. Maybe I could have used the data some other way, but I didn’t know how.