lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 06 Aug 2004 12:31:11 +0100
From: "Kevin Sheldrake" <kev@...ctriccat.co.uk>
To: "Lee Dilkie" <lee_dilkie@...el.com>,
	"Toomas Soome" <Toomas.Soome@...rolink.ee>
Cc: bugtraq@...urityfocus.com
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards


Not unless the card is stolen and the owner either doesn't notice  
immediately or doesn't report it immediately.  How many people will turn  
up at work (for instance) claiming to have 'forgotton' their card rather  
than report it lost, on the off chance they have actually misplaced it?   
If the keys give access to money, reputation, authority or the like then  
perhaps the size of the exposure window is important?

Kev


> Perhaps I'm missing something here. As far as I can tell, no keys  
> located on the card were compromised, only the PIN was. Since this is a  
> two factor authentication system, possession of the PIN is of little  
> value without possession of the token itself.
>
> Am I missing the point here?
>
> regards,
>
> -lee
>



-- 
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd


Powered by blists - more mailing lists