Amusing password masking social hack

Posted on: Fri, 12/09/2005 - 17:24 By: Tom Swiss

bash.org is a website that collects amusing snippets from IRC discussions. I found this little bit of social engineering quite amusing:

<Cthon98> hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

(For non-geeks: in most web forms (and many non-web applications), passwords are not shown when typed, so that someone looking over your shoulder can't steal them. Often they are "masked" by echoing * for each character. Cthon98 has just fooled AzureDiamond into typing his/her password in the IRC discussion by convincing him/her that the password will be masked to everyone on the discussion.)