Re: [Full-disclosure] EasyJet is storing user passwords in the clear

[Sai Emrys <sai@xxxxxxxxxx>]

Dan -

>    I see where you're coming from, but what are the most recent statistics
> on the effectiveness of hash cracking?  Isn't it something like 70% of the
> passwords in the field can be cracked with a minimal amount of brute
> forcing?

Of course this depends on what you mean by "minimal".
http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
claims 20% success with a 5k dictionary based on the RockYou password
db. Presumably this would be at least somewhat worse with an unknown
db, since their results are from post hoc knowledge.

>    There are best practices, and there are vulnerabilities.  I don't think
> anybody's going to argue it's not best practice to store hashes rather than
> plaintext, but lets not delude ourselves regarding their effectiveness.

Fair enough. As I wrote in a comment on my blog post, the
vulnerability here is not that EasyJet data would be compromised - if
this is relevant, that's already happened - but that it would lead to
easy escalation of the compromise.

Not every vulnerability disclosure is on the level of structural DNS
issues. ;-) I think that this is at about the level of finding a blind
SQL injection hole.

Is it an awesome new hack? Hardly.

Is it incompetent of EasyJet, given that it's a large company with a
lot of users' data? Yes.

Thanks,
- Sai

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/