I'm CTO for Manwin Canada and ultimately responsible for YouPorn.
It's unfortunate that people are associating chat.youporn.com to the actual YouPorn.com site, but they are not affiliated at all. It was operated by a completely separate entity, which we've obviously closed as soon as we discovered it. The accounts on chat.youporn.com are different than the accounts on YouPorn. Though as was mentioned, it is probably that some have re-used the same username password combination that is highly unrecommended for all you folks out there (if you read Hacker News, you already know that).
As for password policies, I've been enforcing hashing of passwords ever since joining, though as we inherit a lot of old code and sites we correct issues such as that as we come across them.
I'll be around for a while, if anyone wants to ask questions.
By hashing, do you mean current best practice (bcrypt, scrypt, or possibly a pbkdf with high work factor), or something easily brute forced like MD5 and SHA1. There are issues with migration if you're doing the latter, but not a big deal.
Do you have any contractual recourse against the chat provider? Have you considered including such terms in future contracts with partners?
Do you have a security audit firm? There's plenty of value to in-house audits, but some kind of independent audit is probably a reasonable choice. You probably don't have PCI concerns (it's free, right?), but users might feel better about privacy otherwise. Just the existence of an account for a given user is probably an issue for some people, so even foolish things like using the same username on a porn site as on other sites could be a leak -- being able to verify that myhusbandinvirginiasportsfan is a valid user account on youtube would potentially make a divorce attorney very happy.
Would you answer general questions about the site/business, too? The whole porn tube thing seems like a big change in the industry (I was at SHOT Show in Vegas a few weeks ago, and stopped by the concurrent AVN event -- they really hate the tubes). I'm especially curious how you feel about the meta-tube sites (e.g. fantasti.cc) which seem to blatantly scrape youporn (and other tube) content. Preroll ads still show, but nothing else.
Were you the CTO at YouPorn back in 2010, when the company abused a flaw (css sniffing) in web browsers that allowed your company to covertly determine what other porn sites users had visited? See:
http://www.forbes.com/sites/kashmirhill/2010/11/30/history-s...
Do you think that it was reasonable behavior to engage in without telling your users?
How does that work? Who assigns the DNS values for chat.youporn.com? Moreover, youporn.com and chat.youporn.com actually point to the same IP address, namely 31.192.116.24.
There must be some level of affiliation then, right?
I have a 50/50 chance of traveling through Montreal & Ottawa later this year. I'd love to buy you a coffee and pick your brain a bit about your tech stack and the IT challenges you've faced at YP. May I contact you?
It was actually the passwords to YP Chat, not Youporn itself. The Yourporn guys are pretty reasonable engineers and sysadmins, from what I've seen, and manage user passwords correctly.
Personally, I think in 2012, if you're not using a password manager to generate and manage unique, strong passwords per site, especially for "sketchy" stuff like porn sites, you're already doomed.
Also, Presidents Day and other minor useless holidays are great times for annual rituals like tracking down and changing any legacy shared passwords you may have. Don't wait for a breach!
I'm going to guess that there's a significant subset of YPChat users who also created YP accounts and also used the same login credentials for both...I mean, how many users who are savvy enough to create multiple-logins/passwords for a site and its chat subdomain would even create an account (one linkable to their identity) on YP in the first place?
The sad thing is, people don't use password managers out of laziness despite the fact that it actually speeds up all of these processes. One password unlocks it, one click to login to any of my sites with strong, secure, unique passwords. Autofills out registration forms and generates a unique password for me. It's faster than me having one memorized password.
Yet, friends and HN hackers alike have scoffed at my attitude which is roughly the same as yours. If you're blindly trusting sites with a non-unique password, it's only a matter of time.
(edit) To get ahead of the repeat replies, LastPass syncs across browser extensions, encrypt/decrypts locally, can be accessed from any browser even without an extension and has mobile apps. I've been using it for probably two years now and I've never not been able to access an account even when using all varieties of guest computers, iPads, etc.
How many sites need to be humiliated like this before people learn to hash passwords with something like bcrypt? It's like two damn functions. You just call them! It's so easy that even a baby squirrel could do it! There is no excuse.
Until then, I hope everyone is using a throwaway password for accounts that can be non-disastrously stolen, and using strong unique passwords for the important ones.
Based entirely on the format of the data that was publicly accessible, it looks like this data, including usernames and passwords, are raw $_POST server variables spit out in a debug log. All the hashing and encryption in the world can't protect you against saving the data to disk, above your webroot, in plain text before you hit your security component. This was pure programmer error, a form of ignorance, but not necessarily a sign of incompetence.
Besides "use bcrypt" I've never really seen decent guidance on how to actually store passwords (what sort of salt to use, where to store the salt, if and where to store the hash method, how/where to store the key, etc).
Okay, let's say you have to integrate with a third party product that can only deal with passwords in normal crypt(). What do you do then? (Rewrite third party product is not a valid answer).
What if you're integrating with something like a Windows VPN w/RADIUS, which needs the plaintext password?
Bcrypt, while trivial for many applications, is not the answer to everything.
> I hope everyone is using a throwaway password for accounts that can be non-disastrously stolen, and using strong unique passwords for the important ones.
Why even bother with the distinction. Use a unique password for every login. Use something to manage your passwords. If someone is unwilling to generate a password for an unimportant site, they're probably also too lazy to properly generate unique passwords for sites that matter.
im so glad you noticed this, because it got me laughing but i couldnt decide if it was on purpose or not either! A good joke on words makes the world a better place.
Everything was on http://chat.youporn.com/tmp/ completely open to the public so this is an even bigger screw-up than the fact that they didn't hash their passwords.
Why would anyone sign up for a porn site with their main email address? What baffles me even more is how some people actually whip out their credit card and give the digits to a porn site.
What baffles me even more is how some people actually whip out their credit card and give the digits to a porn site.
Why? Most of the big porn studios are as trustworthy as any other Internet business of the same size, and if your credit card number is misused, you're not liable for the charges anyway. Porn popularized selling DRM-free content for money long before Louis CK made it popular. Porn actors need to pay their rent too.
And all this after all the press about them moving their entire stack to Redis etc etc. How can a company achieve such an epic technical feat and have shitty password hashing?
I don't understand how this makes it to Top News. I think at this point we are all well aware that no user-password store is impenetrable or invulnerable and porn websites would hardly be an exception. If you do not know by now that you should not be using the same password across multiple accounts, it seems like there is little hope. There is no lesson to be learned here. Is it not an implicit assumption that if you subscribe to a porn website someone is mostly likely going to find out one way or another?
1. Don't reuse passwords.
2. Don't subscribe to porn sites if you have something to lose from someone finding out.
This has been passed around a certain anonymous messageboard for the better part of a week now, i'm surprised sophos has taken this long to write anything about it!
Bonus: it appears YouPorn has no way to change your password, nor any way to change (or even see) the email address that is associated with your account.
Unfortunately there are only 4800 unique users of total 6000 in pastie, a lot of dups. So recent arstechnica statistics, especially tag cloud by Ashkan Soltani, is not very accurate. It was very strange to discover generated '3kpm1858' password as popular. Check it here http://pastebin.com/f7MUMw6t
[+] [-] pstatho|14 years ago|reply
It's unfortunate that people are associating chat.youporn.com to the actual YouPorn.com site, but they are not affiliated at all. It was operated by a completely separate entity, which we've obviously closed as soon as we discovered it. The accounts on chat.youporn.com are different than the accounts on YouPorn. Though as was mentioned, it is probably that some have re-used the same username password combination that is highly unrecommended for all you folks out there (if you read Hacker News, you already know that).
As for password policies, I've been enforcing hashing of passwords ever since joining, though as we inherit a lot of old code and sites we correct issues such as that as we come across them.
I'll be around for a while, if anyone wants to ask questions.
[+] [-] rdl|14 years ago|reply
By hashing, do you mean current best practice (bcrypt, scrypt, or possibly a pbkdf with high work factor), or something easily brute forced like MD5 and SHA1. There are issues with migration if you're doing the latter, but not a big deal.
Do you have any contractual recourse against the chat provider? Have you considered including such terms in future contracts with partners?
Do you have a security audit firm? There's plenty of value to in-house audits, but some kind of independent audit is probably a reasonable choice. You probably don't have PCI concerns (it's free, right?), but users might feel better about privacy otherwise. Just the existence of an account for a given user is probably an issue for some people, so even foolish things like using the same username on a porn site as on other sites could be a leak -- being able to verify that myhusbandinvirginiasportsfan is a valid user account on youtube would potentially make a divorce attorney very happy.
Would you answer general questions about the site/business, too? The whole porn tube thing seems like a big change in the industry (I was at SHOT Show in Vegas a few weeks ago, and stopped by the concurrent AVN event -- they really hate the tubes). I'm especially curious how you feel about the meta-tube sites (e.g. fantasti.cc) which seem to blatantly scrape youporn (and other tube) content. Preroll ads still show, but nothing else.
[+] [-] csoghoian|14 years ago|reply
Do you think that it was reasonable behavior to engage in without telling your users?
[+] [-] rhizome|14 years ago|reply
[+] [-] ez77|14 years ago|reply
There must be some level of affiliation then, right?
[+] [-] HNatWORK|14 years ago|reply
[+] [-] zaidf|14 years ago|reply
So you guys cut a deal with another entity to let em "rent" the subdomain chat.youporn? Just intrigued by how this works.
[+] [-] Sukotto|14 years ago|reply
[+] [-] rdl|14 years ago|reply
It was actually the passwords to YP Chat, not Youporn itself. The Yourporn guys are pretty reasonable engineers and sysadmins, from what I've seen, and manage user passwords correctly.
Personally, I think in 2012, if you're not using a password manager to generate and manage unique, strong passwords per site, especially for "sketchy" stuff like porn sites, you're already doomed.
Also, Presidents Day and other minor useless holidays are great times for annual rituals like tracking down and changing any legacy shared passwords you may have. Don't wait for a breach!
[+] [-] danso|14 years ago|reply
[+] [-] drivebyacct2|14 years ago|reply
Yet, friends and HN hackers alike have scoffed at my attitude which is roughly the same as yours. If you're blindly trusting sites with a non-unique password, it's only a matter of time.
(edit) To get ahead of the repeat replies, LastPass syncs across browser extensions, encrypt/decrypts locally, can be accessed from any browser even without an extension and has mobile apps. I've been using it for probably two years now and I've never not been able to access an account even when using all varieties of guest computers, iPads, etc.
[+] [-] pjscott|14 years ago|reply
Until then, I hope everyone is using a throwaway password for accounts that can be non-disastrously stolen, and using strong unique passwords for the important ones.
[+] [-] uxp|14 years ago|reply
[+] [-] noobface|14 years ago|reply
[+] [-] pbreit|14 years ago|reply
[+] [-] devicenull|14 years ago|reply
What if you're integrating with something like a Windows VPN w/RADIUS, which needs the plaintext password?
Bcrypt, while trivial for many applications, is not the answer to everything.
[+] [-] ppod|14 years ago|reply
I estimate that the average web user understands about 66% of those words. And that's if we give them 'password'.
[+] [-] drivebyacct2|14 years ago|reply
Why even bother with the distinction. Use a unique password for every login. Use something to manage your passwords. If someone is unwilling to generate a password for an unimportant site, they're probably also too lazy to properly generate unique passwords for sites that matter.
[+] [-] laconian|14 years ago|reply
[+] [-] verelo|14 years ago|reply
[+] [-] NelsonMinar|14 years ago|reply
Top 10 passwords: 110 123456 / 75 123456789 / 30 12345 / 23 melinda / 19 fuck / 18 1234567890 / 17 Nightmare / 16 allzen / 15 password / 15 anal
That's of about 6400 records.
[+] [-] pyre|14 years ago|reply
[+] [-] ahel|14 years ago|reply
[+] [-] Kiro|14 years ago|reply
[+] [-] joejohnson|14 years ago|reply
[+] [-] tansey|14 years ago|reply
[+] [-] rokhayakebe|14 years ago|reply
[+] [-] jrockway|14 years ago|reply
Why? Most of the big porn studios are as trustworthy as any other Internet business of the same size, and if your credit card number is misused, you're not liable for the charges anyway. Porn popularized selling DRM-free content for money long before Louis CK made it popular. Porn actors need to pay their rent too.
[+] [-] aaronpk|14 years ago|reply
[+] [-] rsanchez1|14 years ago|reply
[+] [-] te_chris|14 years ago|reply
[+] [-] cstejerean|14 years ago|reply
[+] [-] ___Calv_Dee___|14 years ago|reply
1. Don't reuse passwords. 2. Don't subscribe to porn sites if you have something to lose from someone finding out.
[+] [-] jarin|14 years ago|reply
[+] [-] jamesu|14 years ago|reply
[+] [-] shadowed|14 years ago|reply
[+] [-] paul9290|14 years ago|reply
[+] [-] simcop2387|14 years ago|reply
[+] [-] mycodebreaks|14 years ago|reply
[+] [-] verelo|14 years ago|reply
Any bets on asdfghjkl;' ??
i think i'll do this tonight
[+] [-] theirixhn|14 years ago|reply
[+] [-] daniellockard|14 years ago|reply
[+] [-] uvTwitch|14 years ago|reply