lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <646661981002251444i6d08b80ct1540188e163f8f38@mail.gmail.com>
Date: Thu, 25 Feb 2010 14:44:22 -0800
From: Sai Emrys <sai@...zai.com>
To: Dan Kaminsky <dan@...para.com>
Cc: tips <tips@...hcrunch.com>,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	news <news@...register.co.uk>, liz <liz@...aom.com>,
	Lance Wantenaar <lance.wantenaar@...yjet.com>
Subject: Re: EasyJet is storing user passwords in the clear

Dan -

>    I see where you're coming from, but what are the most recent statistics
> on the effectiveness of hash cracking?  Isn't it something like 70% of the
> passwords in the field can be cracked with a minimal amount of brute
> forcing?

Of course this depends on what you mean by "minimal".
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
claims 20% success with a 5k dictionary based on the RockYou password
db. Presumably this would be at least somewhat worse with an unknown
db, since their results are from post hoc knowledge.

>    There are best practices, and there are vulnerabilities.  I don't think
> anybody's going to argue it's not best practice to store hashes rather than
> plaintext, but lets not delude ourselves regarding their effectiveness.

Fair enough. As I wrote in a comment on my blog post, the
vulnerability here is not that EasyJet data would be compromised - if
this is relevant, that's already happened - but that it would lead to
easy escalation of the compromise.

Not every vulnerability disclosure is on the level of structural DNS
issues. ;-) I think that this is at about the level of finding a blind
SQL injection hole.

Is it an awesome new hack? Hardly.

Is it incompetent of EasyJet, given that it's a large company with a
lot of users' data? Yes.

Thanks,
- Sai

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ