Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: EasyJet is storing user passwords in the clear
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 25 Feb 2010 11:07:37 -0500

On Thu, Feb 25, 2010 at 10:39 AM, Michael Neal Vasquez <
mnv () alumni princeton edu> wrote:

On Thu, Feb 25, 2010 at 8:05 AM, Dan Kaminsky <dan () doxpara com> wrote:

Sai,

   I see where you're coming from, but what are the most recent statistics
on the effectiveness of hash cracking?  Isn't it something like 70% of the
passwords in the field can be cracked with a minimal amount of brute
forcing?



70% ?

Plain MD5 perhaps, but I don't think salted, or sha1, etc, have anywhere
near such high success rates.


The problem isn't in the algorithm -- it's in the passwords themselves.
Salting helps in that the attacker can't amortize the work effort across the
entire population, but at the end of the day, even PBKDF2 isn't going to do
much against 1234567890 and its ilk.

To put it another way, if EasyJet *did* have a breach, they couldn't very
well say "It's OK, because the passwords were hashed".
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]