mailing list archives
Re: EasyJet is storing user passwords in the clear
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 25 Feb 2010 17:57:59 -0500
On Feb 25, 2010, at 5:44 PM, Sai Emrys <sai () saizai com> wrote:
I see where you're coming from, but what are the most recent
on the effectiveness of hash cracking? Isn't it something like 70%
passwords in the field can be cracked with a minimal amount of brute
Of course this depends on what you mean by "minimal".
claims 20% success with a 5k dictionary based on the RockYou password
db. Presumably this would be at least somewhat worse with an unknown
db, since their results are from post hoc knowledge.
That's 20% with a work effort of effectively 0 per password with a
single dictionary. Spend a few minutes of brute force on each pass
and the success rate grows.
There are best practices, and there are vulnerabilities. I
anybody's going to argue it's not best practice to store hashes
plaintext, but lets not delude ourselves regarding their
Fair enough. As I wrote in a comment on my blog post, the
vulnerability here is not that EasyJet data would be compromised - if
this is relevant, that's already happened - but that it would lead to
easy escalation of the compromise.
Not every vulnerability disclosure is on the level of structural DNS
issues. ;-) I think that this is at about the level of finding a blind
SQL injection hole.
A SQL Injection hole *is* the compromise. This says, given the
compromise, the work effort is somewhat lower than it might be. The
dependency chain is clear.
There is actually something interesting about this work, in that it's
a really good illustration of the difference between what you can
legally look for in web apps vs. binaries that sit on a machine that
you own. You hit Forgot My Password, and in doing nothing illicit,
nothing unusual, you learn a deep detail about the backend
implementation -- that it stores plaintext passwords.
That's good to know, but with the exception of situations where SQL is
in the URI, we don't get to look for the really scary stuff. At
least, not in a legally safe manner.
Is it an awesome new hack? Hardly.
Is it incompetent of EasyJet, given that it's a large company with a
lot of users' data? Yes.
The point I'm making is that they could do better, but not that much
better. Auth is broken, we need to get past passwords, etc.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/