DEV Community

Thomas Hansen
Thomas Hansen

Posted on • Originally published at ainiro.io

I know your Password

I have written about Silicon Valley corruption before. Most people probably think such corruption is not relevant for them. However, most people are wrong.

Some few days ago 10 billion passwords were leaked. This implies purely mathematically that you have to assume your online life is compromised. 10 billion passwords is more passwords than people on earth, implying the statistical probability of that your password is in there is probably 99.99%.

This allows me to download the above password file, find your username, and create a script that allows me to login to every single online account you've ever created in some 10 hours - Without even breaking a sweat!

A solved problem

Leaking passwords in 2024 is quite frankly preposterous. There are no reasons why Silicon Valley startups shouldn't use secure password storage systems, such as BlowFish hashing with individual per-record based salts. Storing passwords such that they're impossible to access is a "5 minute job" in 2024. Still, 98% of every single Silicon Valley startup cannot figure out how to store your passwords securely.

This is true to such an extent that it's almost impossible to fathom. Even Facebook had a password leak some 5 years ago, at which point the world could see that Facebook was storing passwords in clear text. The fix is literally a 5 minute job may I add. Below is some pseudo code that fixes it in 5 minutes ...

// Assumes workload 10
if (dbPassword.startsWith('$2b$10$')) {

    // Password is already hashed.
    return blowFishVerify(passwordArg);

} else {

    // Password is not hashed.
    if (dbPassword === passwordArgs) {

        // Updatibng old password by hashing it.
        // To trap edge cases add a try catch around the next line of code.
        saveNewPassword(blowfish(dbPassword));
        return true;
    }
    return false;
}
Enter fullscreen mode Exit fullscreen mode

The above is 10 lines of code, and can be implemented to intercept authentication requests, resulting in that you "automagically" update all old passwords during the first login attempt. It's literally a 5 minute job applying the above code to your existing codebase. For bonus points, you can create a scheduled task iterating all existing passwords in the database, hashing all those that haven't already been hashed.

However, for some weird reason, 99% of every single Silicon Valley startup that ever existed was too lazy to implement the above, which makes you wonder why they're obsessed with having access to your passwords in clear text ...

Are Silicon Valley software developers using your passwords to spy on you ...?

Because quite frankly, there exists no other reasons explaining this behaviour in 2024 ...

How AINIRO protects you

At AINIRO we've (ofc) done what no other startup have been bothered to do, which is to store your passwords 100% secure. To prove that fact I'll publicly show you my own password.

$2b$10$nizBSsYoLDq/5P4vlw/7R.CyNeTHAQj5TSQ8tz2hGUEjPKYzXz6nW

The point being that the above is in fact not my password, but a BlowFish hashed version of my password, with a per record based salt and a workload of 10 - Making it impossible for a super computer to find its actual value, even if it had 1 billion years at its disposal. At AINIRO we store all passwords using BlowFish. This is an algorithm that of course nobody in Silicon Valley could be bothered to implement, because according to their own slogan they are ...

"Moving fast and breaking stuff"

And when they're breaking stuff that's not even theirs, they couldn't care less I assume - So they basically never fix it. For the record, if you need a Low-Code and No-Code solution that stores passwords the right way, you can use our Magic Cloud, allowing you to rapidly implement secure storage of passwords in case you're too inexperienced to implement blowFishHash yourself.

How passwords are stolen

Passwords are stolen by malicious hackers breaking into systems such as Facebook, Twitter, LinkedIn, and GMail, etc. Then they gain access to the password database. Most such password database systems are storing their passwords in clear text. Storing passwords in clear text is such a huge violation of security best practices, that there should exist a special place in hell for developers still doing this.

But because Silicon Valley startups are, quote; "Moving fast and breaking stuff", most Silicon Valley companies are still storing passwords in clear text. In fact, I'm willing to bet a kidney on that if I was to analyse the codebase of every single YC funded company the last 36 months, probably 50% of these are storing passwords in clear text. It's simply easier for them, and if something bad happens, it's not their problem - So why should they care ...?

You can Sue the VC Company

90% of all Silicon Valley startups the last decade were funded by the same VC companies, Sequioa, YC, and the other usual suspects. As I demonstrated in my previous article, these companies are swimming in money - And they're partially owned by some of the richest people on earth.

This allows you to sue these companies for having conducted themselves in such a way that malicious hackers found your password, and used it to impersonate you, possibly stealing money from you, and/or doing other types of harm towards you.

You can literally sue the richest companies and investors on the planet, and your chance of winning would be quite large too, assuming you can prove the password came from their database, and you experienced losses due to the leak

And why should you care if you drive them bankrupt? It's not like as if they cared about your password, right ...?

How to set a Trap

Creating a password leak trap is actually quite easy, just register at some Silicon Valley startup and chose a password such as for instance; "fg%54DFGfgfThisPasswordIsOnlyUsedAtReddit_com". Then wait for the next leak, search through its passwords, and see if you can find your password. If you can, you know for a fact the password leak originated from Reddit, and you can sue Reddit for having endangered your online life.

Notice, I've got no idea if Reddit stores passwords in clear text, they're merely used as an example.

By registering at 100+ different YC startups using passwords such as the above, you can probably sue 50+ companies the next time passwords are leaked, and you can be expected to win every single lawsuit, becoming rich in the process.

Conclusion

Ignoring the fact that you should never reuse your passwords, and that you should chose long passwords, with at least 12 characters, preferably 20 - The problem is systemic. Today fixing the issue is so easy that I cannot imagine any other reasons for Silicon Valley startups still violating this simple best practice besides that they want to access your password to spy on you.

However, you really don't have to put up with it. Sue the living crap out of them. They only understand one language anyway, and that's money! If you get to their wallets they'll change ...

Sue like CRAZY!

If you want a secure no-code and low-code system allowing you to manage your passwords securely, you cvan contact us below.

Top comments (4)

Collapse
 
dyfet profile image
David Sugar

How can AI companies get to all that content that is hidden behind password protected accounts without being able to gobble everyone's passwords? Yes, my conspiracy idea for the day ;).

Of course, no AI is even needed to "use" this list... any script kiddie out for a joyhack will do.

Collapse
 
polterguy profile image
Thomas Hansen

Hehe :D

Collapse
 
litlyx profile image
Antonio | CEO at Litlyx.com

It is so intresting to read. Really nice. Can you please provide the website where we can find our leaked passwords?

Collapse
 
polterguy profile image
Thomas Hansen

Search for RockYou2024.txt