[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] password.incleartext.com
- To: full-disclosure <Full-Disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] password.incleartext.com
- From: T Biehn <tbiehn@xxxxxxxxx>
- Date: Wed, 6 Apr 2011 15:30:34 -0400
I sent this only to Romain,
Some other posters wanted to know the other scenarios.
-Travis
---------- Forwarded message ----------
From: T Biehn <tbiehn@xxxxxxxxx>
Date: Wed, Apr 6, 2011 at 10:33 AM
Subject: Re: [Full-disclosure] password.incleartext.com
To: Romain Bourdy <achileos@xxxxxxxxx>
The only scheme where there's a semblance of security is if the decryption
key was stored in memory only. (Provided on startup perhaps?)
Or the server stores a one way hash of the password for verification, then
the encrypted version, and queues them up on the X for decryption, an admin
grabs the packet and decrypts locally.
Neither of those schemes are likely to have been implemented on any site,
ever.
In which case plain-text is equivalent to encrypted text with an easily
recoverable key.
-Travis
On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <achileos@xxxxxxxxx> wrote:
> Hi Full-Disclosure,
>
> Just my two cents but ... the fact they can give your password back doesn't
> mean it's stored in cleartext, just that it's not hashed but encrypted with
> some way to get the original data back, this doesn't mean at all it's not
> secured, even though in most case it's not.
>
> -Romain
>
>
> On Wed, Apr 6, 2011 at 1:36 PM, <Maksim.Filenko@xxxxxxxx> wrote:
>
>> Kinda plaintextoffenders.com?
>>
>> wbr,
>> - Max
>>
>> full-disclosure-bounces@xxxxxxxxxxxxxxxxx wrote on 01.04.2011 02:17:24:
>>
>> > Inc leartext <staff@xxxxxxxxxxxxxxx>
>> > Sent by: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>> >
>> > 01.04.2011 13:14
>> >
>> > To
>> >
>> > full-disclosure@xxxxxxxxxxxxxxxxx
>> >
>> > cc
>> >
>> > Subject
>> >
>> > [Full-disclosure] password.incleartext.com
>> >
>> > Hi FD,
>> >
>> > Just launched a new website to keep a list of websites storing
>> > passwords in clear text, so far the database is small but feel free
>> > to add some:
>> > http://password.incleartext.com/
>>
>> >
>> > Cheers,
>> > Inc Leartext_______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/