| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <646661981002251444i6d08b80ct1540188e163f8f38@mail.gmail.com> Date: Thu, 25 Feb 2010 14:44:22 -0800 From: Sai Emrys <sai@...zai.com> To: Dan Kaminsky <dan@...para.com> Cc: tips <tips@...hcrunch.com>, full-disclosure <full-disclosure@...ts.grok.org.uk>, news <news@...register.co.uk>, liz <liz@...aom.com>, Lance Wantenaar <lance.wantenaar@...yjet.com> Subject: Re: EasyJet is storing user passwords in the clear Dan - > I see where you're coming from, but what are the most recent statistics > on the effectiveness of hash cracking? Isn't it something like 70% of the > passwords in the field can be cracked with a minimal amount of brute > forcing? Of course this depends on what you mean by "minimal". http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf claims 20% success with a 5k dictionary based on the RockYou password db. Presumably this would be at least somewhat worse with an unknown db, since their results are from post hoc knowledge. > There are best practices, and there are vulnerabilities. I don't think > anybody's going to argue it's not best practice to store hashes rather than > plaintext, but lets not delude ourselves regarding their effectiveness. Fair enough. As I wrote in a comment on my blog post, the vulnerability here is not that EasyJet data would be compromised - if this is relevant, that's already happened - but that it would lead to easy escalation of the compromise. Not every vulnerability disclosure is on the level of structural DNS issues. ;-) I think that this is at about the level of finding a blind SQL injection hole. Is it an awesome new hack? Hardly. Is it incompetent of EasyJet, given that it's a large company with a lot of users' data? Yes. Thanks, - Sai _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists