Blog article
See all stories »

Object reference not set to an instance of an object.

Comments: (5)

Michael Wright
Michael Wright - Striata | Secure Document Delivery - London 19 October, 2009, 11:15Be the first to give this comment the thumbs up 0 likes


What leads you to the conclusion that the strong passwords were hacked rather than phished ?

My understanding is that the stronger the password, the harder it is to hack (i.e. guess) and therefore the more likely it is to have been phished (social engineering) or recorded by a key logging trojan or virus.

One of the fundamental issues that should be mentioned here is that people often use the same password on many different sites.

You should always make sure that you use different passwords for your banking sites and your email sites - having one password for low risk sites is not a good idea but probably expedient.



(P.S. Banks should be standardising on anti-phishing measures in their email)

Andrew Churchill
Andrew Churchill - MIDAS Alliance - London 19 October, 2009, 23:31Be the first to give this comment the thumbs up 0 likes


I hadn't noticed this blog until you'd flagged it, so thanks for pointing out some of the glaring errors.

Title - hacked via a botnet or phished

Para 1 - they're phished -good old social engineering!

Para 2, line 1 - they're hacked, but some were very weak!

Para 2, line 3 - now they're stolen (so not UK victims, as you can't steal information, merely exploit it for other unlawful purposes)

Para 2, line 5 - back to hacking, and only insecure passwords can be hacked, clearly

Para 3 - strong passwords are on the compromised list.

So, actually back to para 2 because, in itself (over and above the truism that those who are using stronger passwords are likely to be security aware and hence have anti-virus, et al, and not fall for Dear Mister emails) anyone using an insecure password is no more likely to be a victim of hacking or phishing.

If you've an insecure machine and you're gullible then the security of your password makes not the slightest difference (besides the chances of a friend or colleague logging in as you).

Final paras are valid, but hardly news, so I'm afraid to say the only 'laziness and less than sophisticated approach to security' rests with the author.


Robert Siciliano
Robert Siciliano - - Boston 20 October, 2009, 00:50Be the first to give this comment the thumbs up 0 likes

Thanks for dragging me under the bus gents. Bet your mum is proud of you. I was pointing out how some researchers had come to the conclusion. I reported on it. So eat it.

Matt White
Matt White - Finextra - Toronto 20 October, 2009, 09:17Be the first to give this comment the thumbs up 0 likes

Play nice please fellas.

A Finextra member
A Finextra member 27 October, 2009, 11:27Be the first to give this comment the thumbs up 0 likes

Hi Mike,

congrats that you made it to say write/report something that shown that PASSWORDS are a big part causing all this internet fraud. Just imagine we wouldnt use them any more. Meaning to use something that one has to remember and when beeing authenticated to type in his PC.... just look at the solution that shows a real altenative solution which provides strong authentication without

Hi Andrew,

Dont be soo bad to Mike. This blog is very usefull for all who are concerned to security. Of course there are very few of them with a proved knowledge on all these topics like you. And I mean it. By the way, you still have´nt found out (cracked) the WebLookOn key-secret according to your WebLookOn Key-ID : a.churchill ......

all best