| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 Apr 2011 15:30:34 -0400
From: T Biehn <tbiehn@...il.com>
To: full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: password.incleartext.com
I sent this only to Romain,
Some other posters wanted to know the other scenarios.
-Travis
---------- Forwarded message ----------
From: T Biehn <tbiehn@...il.com>
Date: Wed, Apr 6, 2011 at 10:33 AM
Subject: Re: [Full-disclosure] password.incleartext.com
To: Romain Bourdy <achileos@...il.com>
The only scheme where there's a semblance of security is if the decryption
key was stored in memory only. (Provided on startup perhaps?)
Or the server stores a one way hash of the password for verification, then
the encrypted version, and queues them up on the X for decryption, an admin
grabs the packet and decrypts locally.
Neither of those schemes are likely to have been implemented on any site,
ever.
In which case plain-text is equivalent to encrypted text with an easily
recoverable key.
-Travis
On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <achileos@...il.com> wrote:
> Hi Full-Disclosure,
>
> Just my two cents but ... the fact they can give your password back doesn't
> mean it's stored in cleartext, just that it's not hashed but encrypted with
> some way to get the original data back, this doesn't mean at all it's not
> secured, even though in most case it's not.
>
> -Romain
>
>
> On Wed, Apr 6, 2011 at 1:36 PM, <Maksim.Filenko@...b.com> wrote:
>
>> Kinda plaintextoffenders.com?
>>
>> wbr,
>> - Max
>>
>> full-disclosure-bounces@...ts.grok.org.uk wrote on 01.04.2011 02:17:24:
>>
>> > Inc leartext <staff@...leartext.com>
>> > Sent by: full-disclosure-bounces@...ts.grok.org.uk
>> >
>> > 01.04.2011 13:14
>> >
>> > To
>> >
>> > full-disclosure@...ts.grok.org.uk
>> >
>> > cc
>> >
>> > Subject
>> >
>> > [Full-disclosure] password.incleartext.com
>> >
>> > Hi FD,
>> >
>> > Just launched a new website to keep a list of websites storing
>> > passwords in clear text, so far the database is small but feel free
>> > to add some:
>> > http://password.incleartext.com/
>>
>> >
>> > Cheers,
>> > Inc Leartext_______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists