Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: EasyJet is storing user passwords in the clear
From: Sai Emrys <sai () saizai com>
Date: Thu, 25 Feb 2010 14:44:22 -0800

Dan -

   I see where you're coming from, but what are the most recent statistics
on the effectiveness of hash cracking?  Isn't it something like 70% of the
passwords in the field can be cracked with a minimal amount of brute
forcing?

Of course this depends on what you mean by "minimal".
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
claims 20% success with a 5k dictionary based on the RockYou password
db. Presumably this would be at least somewhat worse with an unknown
db, since their results are from post hoc knowledge.

   There are best practices, and there are vulnerabilities.  I don't think
anybody's going to argue it's not best practice to store hashes rather than
plaintext, but lets not delude ourselves regarding their effectiveness.

Fair enough. As I wrote in a comment on my blog post, the
vulnerability here is not that EasyJet data would be compromised - if
this is relevant, that's already happened - but that it would lead to
easy escalation of the compromise.

Not every vulnerability disclosure is on the level of structural DNS
issues. ;-) I think that this is at about the level of finding a blind
SQL injection hole.

Is it an awesome new hack? Hardly.

Is it incompetent of EasyJet, given that it's a large company with a
lot of users' data? Yes.

Thanks,
- Sai

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]