mailing list archives
Re: EasyJet is storing user passwords in the clear
From: Sai Emrys <sai () saizai com>
Date: Thu, 25 Feb 2010 14:44:22 -0800
I see where you're coming from, but what are the most recent statistics
on the effectiveness of hash cracking? Isn't it something like 70% of the
passwords in the field can be cracked with a minimal amount of brute
Of course this depends on what you mean by "minimal".
claims 20% success with a 5k dictionary based on the RockYou password
db. Presumably this would be at least somewhat worse with an unknown
db, since their results are from post hoc knowledge.
There are best practices, and there are vulnerabilities. I don't think
anybody's going to argue it's not best practice to store hashes rather than
plaintext, but lets not delude ourselves regarding their effectiveness.
Fair enough. As I wrote in a comment on my blog post, the
vulnerability here is not that EasyJet data would be compromised - if
this is relevant, that's already happened - but that it would lead to
easy escalation of the compromise.
Not every vulnerability disclosure is on the level of structural DNS
issues. ;-) I think that this is at about the level of finding a blind
SQL injection hole.
Is it an awesome new hack? Hardly.
Is it incompetent of EasyJet, given that it's a large company with a
lot of users' data? Yes.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/