| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTi=a5Qu6erT4QYH+AYi4mg6TVECdcAxe-jeA6MCs@mail.gmail.com> Date: Thu, 14 Oct 2010 09:41:18 +1100 From: silky <michaelslists@...il.com> To: Mutiny <mutiny@...inbeardsucks.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Filezilla's silent caching of user's credentials On Wed, Oct 13, 2010 at 2:33 PM, Mutiny <mutiny@...inbeardsucks.com> wrote: > The issue is that someone gained access to that file. You sharing your > drives over the internet with read privileges? You have other > vulnerable software being leveraged to read that file? Would you prefer > they MD5'd it? It sounds like your issue is that your password is > stored. I mean, they moved your encrypted password from passwd to > shadow for a reason, but that doesn't change the fact that it's stored > and if someone doesn't need access to shadow or passwd, they shouldn't > have it. > > Stop logging into your FTP server from a public terminal with Filezilla. Rubbish. The passwords should be encoded so-as to avoid trivial searching. End of story. It takes 10 minutes to do from a development point of view, and there is no excuse. -- silky http://dnoondt.wordpress.com/ "Every morning when I wake up, I experience an exquisite joy — the joy of being this signature." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists