Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: EasyJet is storing user passwords in the clear
From: Michael Neal Vasquez <mnv () alumni princeton edu>
Date: Thu, 25 Feb 2010 09:31:05 -0700

If I reread your statement, and take it as "70% of people's passwords suck"
-- I'd have to agree.  I'd say though, for the remaining 30%, algorithm
choice, even without salting, can make a difference.  My password audits go
much quicker when LM is enabled, vs NTLM.  Same for MD5 vs SHA1.

On Thu, Feb 25, 2010 at 9:07 AM, Dan Kaminsky <dan () doxpara com> wrote:

On Thu, Feb 25, 2010 at 10:39 AM, Michael Neal Vasquez <
mnv () alumni princeton edu> wrote:

On Thu, Feb 25, 2010 at 8:05 AM, Dan Kaminsky <dan () doxpara com> wrote:


   I see where you're coming from, but what are the most recent
statistics on the effectiveness of hash cracking?  Isn't it something like
70% of the passwords in the field can be cracked with a minimal amount of
brute forcing?

70% ?

Plain MD5 perhaps, but I don't think salted, or sha1, etc, have anywhere
near such high success rates.

The problem isn't in the algorithm -- it's in the passwords themselves.
Salting helps in that the attacker can't amortize the work effort across the
entire population, but at the end of the day, even PBKDF2 isn't going to do
much against 1234567890 and its ilk.

To put it another way, if EasyJet *did* have a breach, they couldn't very
well say "It's OK, because the passwords were hashed".

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]