| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070831201735.GA11181@lboro.ac.uk> Date: Fri, 31 Aug 2007 21:17:35 +0100 From: A.L.M.Buxey@...ro.ac.uk To: drumknott@...hmail.com Cc: full-disclosure@...ts.grok.org.uk Subject: Re: LloydsTSB Bruteforce Possibility in Memorable Information Hi, > The issue lies in that if the user gets the memorable information > incorrect they are asked for the same character positions (e.g. 1, > 7 and 9 again). This continues forever, basically making the > memorable information pointless because it will not take much to > brute force it. not correct. after about 7 attempts the account is locked out at the username/password part > No attempts have been made to contact LloydsTSB regarding this > matter as I was unable to locate contact details and it is not that > severe. http://www.lloydstsb.com/security.asp is a good starting point anyway, LloydsTSB are moving to 2-factor authentication and most of their customers should have their online backing upgraded by the end of this year http://www.vnunet.com/computing/news/2151425/lloyds-tsb-trial-wipes-online alan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists