Full Disclosure: Re: password.incleartext.com

[Romain Bourdy <achileos () gmail com>]

So let's say I store password using PGP for *recovery*, encrypted with my
own keys as sender and recipient , I can recover plaintext passwords
whenever I want to, but is it unsecure ? As long as it handled somewhere
else I don't feel it as being unsafe. Where am I wrong ?

Rgds,
-Romain


On Wed, Apr 6, 2011 at 9:30 PM, T Biehn <tbiehn () gmail com> wrote:

> I sent this only to Romain,
> Some other posters wanted to know the other scenarios.
>
> -Travis
>
>
> ---------- Forwarded message ----------
> From: T Biehn <tbiehn () gmail com>
> Date: Wed, Apr 6, 2011 at 10:33 AM
> Subject: Re: [Full-disclosure] password.incleartext.com
> To: Romain Bourdy <achileos () gmail com>
>
>
> The only scheme where there's a semblance of security is if the decryption
> key was stored in memory only. (Provided on startup perhaps?)
>
> Or the server stores a one way hash of the password for verification, then
> the encrypted version, and queues them up on the X for decryption, an admin
> grabs the packet and decrypts locally.
>
> Neither of those schemes are likely to have been implemented on any site,
> ever.
>
> In which case plain-text is equivalent to encrypted text with an easily
> recoverable key.
>
> -Travis
>
>
> On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <achileos () gmail com> wrote:
>
> > Hi Full-Disclosure,
> >
> > Just my two cents but ... the fact they can give your password back
> > doesn't mean it's stored in cleartext, just that it's not hashed but
> > encrypted with some way to get the original data back, this doesn't mean at
> > all it's not secured, even though in most case it's not.
> >
> >  -Romain
> >
> >
> > On Wed, Apr 6, 2011 at 1:36 PM, <Maksim.Filenko () fuib com> wrote:
> >
> > > Kinda plaintextoffenders.com?
> > >
> > > wbr,
> > >  - Max
> > >
> > > full-disclosure-bounces () lists grok org uk wrote on 01.04.2011 02:17:24:
> > >
> > > > Inc leartext <staff () incleartext com>
> > > > Sent by: full-disclosure-bounces () lists grok org uk
> > > >
> > > > 01.04.2011 13:14
> > > >
> > > > To
> > > >
> > > > full-disclosure () lists grok org uk
> > > >
> > > > cc
> > > >
> > > > Subject
> > > >
> > > > [Full-disclosure] password.incleartext.com
> > > >
> > > > Hi FD,
> > > >
> > > > Just launched a new website to keep a list of websites storing
> > > > passwords in clear text, so far the database is small but feel free
> > > > to add some:
> > > >     http://password.incleartext.com/
> > > > Cheers,
> > > > Inc Leartext_______________________________________________
> > > > Full-Disclosure - We believe in it.
> > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > > Hosted and sponsored by Secunia - http://secunia.com/
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/