| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Feb 2010 11:07:37 -0500
From: Dan Kaminsky <dan@...para.com>
To: Michael Neal Vasquez <mnv@...mni.princeton.edu>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: EasyJet is storing user passwords in the clear
On Thu, Feb 25, 2010 at 10:39 AM, Michael Neal Vasquez <
mnv@...mni.princeton.edu> wrote:
> On Thu, Feb 25, 2010 at 8:05 AM, Dan Kaminsky <dan@...para.com> wrote:
>
>> Sai,
>>
>> I see where you're coming from, but what are the most recent statistics
>> on the effectiveness of hash cracking? Isn't it something like 70% of the
>> passwords in the field can be cracked with a minimal amount of brute
>> forcing?
>>
>>
>
> 70% ?
>
> Plain MD5 perhaps, but I don't think salted, or sha1, etc, have anywhere
> near such high success rates.
>
The problem isn't in the algorithm -- it's in the passwords themselves.
Salting helps in that the attacker can't amortize the work effort across the
entire population, but at the end of the day, even PBKDF2 isn't going to do
much against 1234567890 and its ilk.
To put it another way, if EasyJet *did* have a breach, they couldn't very
well say "It's OK, because the passwords were hashed".
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists