lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 6 Apr 2011 22:38:56 +0200
From: Romain Bourdy <achileos@...il.com>
To: T Biehn <tbiehn@...il.com>
Cc: full-disclosure <Full-Disclosure@...ts.grok.org.uk>
Subject: Re: password.incleartext.com

So let's say I store password using PGP for *recovery*, encrypted with my
own keys as sender and recipient , I can recover plaintext passwords
whenever I want to, but is it unsecure ? As long as it handled somewhere
else I don't feel it as being unsafe. Where am I wrong ?

Rgds,
-Romain


On Wed, Apr 6, 2011 at 9:30 PM, T Biehn <tbiehn@...il.com> wrote:

> I sent this only to Romain,
> Some other posters wanted to know the other scenarios.
>
> -Travis
>
>
> ---------- Forwarded message ----------
> From: T Biehn <tbiehn@...il.com>
> Date: Wed, Apr 6, 2011 at 10:33 AM
> Subject: Re: [Full-disclosure] password.incleartext.com
> To: Romain Bourdy <achileos@...il.com>
>
>
> The only scheme where there's a semblance of security is if the decryption
> key was stored in memory only. (Provided on startup perhaps?)
>
> Or the server stores a one way hash of the password for verification, then
> the encrypted version, and queues them up on the X for decryption, an admin
> grabs the packet and decrypts locally.
>
> Neither of those schemes are likely to have been implemented on any site,
> ever.
>
> In which case plain-text is equivalent to encrypted text with an easily
> recoverable key.
>
> -Travis
>
>
> On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <achileos@...il.com> wrote:
>
>> Hi Full-Disclosure,
>>
>> Just my two cents but ... the fact they can give your password back
>> doesn't mean it's stored in cleartext, just that it's not hashed but
>> encrypted with some way to get the original data back, this doesn't mean at
>> all it's not secured, even though in most case it's not.
>>
>>  -Romain
>>
>>
>> On Wed, Apr 6, 2011 at 1:36 PM, <Maksim.Filenko@...b.com> wrote:
>>
>>> Kinda plaintextoffenders.com?
>>>
>>> wbr,
>>>  - Max
>>>
>>> full-disclosure-bounces@...ts.grok.org.uk wrote on 01.04.2011 02:17:24:
>>>
>>> > Inc leartext <staff@...leartext.com>
>>> > Sent by: full-disclosure-bounces@...ts.grok.org.uk
>>> >
>>> > 01.04.2011 13:14
>>> >
>>> > To
>>> >
>>> > full-disclosure@...ts.grok.org.uk
>>> >
>>> > cc
>>> >
>>> > Subject
>>> >
>>> > [Full-disclosure] password.incleartext.com
>>> >
>>> > Hi FD,
>>> >
>>> > Just launched a new website to keep a list of websites storing
>>> > passwords in clear text, so far the database is small but feel free
>>> > to add some:
>>> >     http://password.incleartext.com/
>>>
>>> >
>>> > Cheers,
>>> > Inc Leartext_______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ