[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] password.incleartext.com
- To: T Biehn <tbiehn@xxxxxxxxx>
- Subject: Re: [Full-disclosure] password.incleartext.com
- From: Romain Bourdy <achileos@xxxxxxxxx>
- Date: Wed, 6 Apr 2011 22:38:56 +0200
So let's say I store password using PGP for *recovery*, encrypted with my
own keys as sender and recipient , I can recover plaintext passwords
whenever I want to, but is it unsecure ? As long as it handled somewhere
else I don't feel it as being unsafe. Where am I wrong ?
Rgds,
-Romain
On Wed, Apr 6, 2011 at 9:30 PM, T Biehn <tbiehn@xxxxxxxxx> wrote:
> I sent this only to Romain,
> Some other posters wanted to know the other scenarios.
>
> -Travis
>
>
> ---------- Forwarded message ----------
> From: T Biehn <tbiehn@xxxxxxxxx>
> Date: Wed, Apr 6, 2011 at 10:33 AM
> Subject: Re: [Full-disclosure] password.incleartext.com
> To: Romain Bourdy <achileos@xxxxxxxxx>
>
>
> The only scheme where there's a semblance of security is if the decryption
> key was stored in memory only. (Provided on startup perhaps?)
>
> Or the server stores a one way hash of the password for verification, then
> the encrypted version, and queues them up on the X for decryption, an admin
> grabs the packet and decrypts locally.
>
> Neither of those schemes are likely to have been implemented on any site,
> ever.
>
> In which case plain-text is equivalent to encrypted text with an easily
> recoverable key.
>
> -Travis
>
>
> On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <achileos@xxxxxxxxx> wrote:
>
>> Hi Full-Disclosure,
>>
>> Just my two cents but ... the fact they can give your password back
>> doesn't mean it's stored in cleartext, just that it's not hashed but
>> encrypted with some way to get the original data back, this doesn't mean at
>> all it's not secured, even though in most case it's not.
>>
>> -Romain
>>
>>
>> On Wed, Apr 6, 2011 at 1:36 PM, <Maksim.Filenko@xxxxxxxx> wrote:
>>
>>> Kinda plaintextoffenders.com?
>>>
>>> wbr,
>>> - Max
>>>
>>> full-disclosure-bounces@xxxxxxxxxxxxxxxxx wrote on 01.04.2011 02:17:24:
>>>
>>> > Inc leartext <staff@xxxxxxxxxxxxxxx>
>>> > Sent by: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>>> >
>>> > 01.04.2011 13:14
>>> >
>>> > To
>>> >
>>> > full-disclosure@xxxxxxxxxxxxxxxxx
>>> >
>>> > cc
>>> >
>>> > Subject
>>> >
>>> > [Full-disclosure] password.incleartext.com
>>> >
>>> > Hi FD,
>>> >
>>> > Just launched a new website to keep a list of websites storing
>>> > passwords in clear text, so far the database is small but feel free
>>> > to add some:
>>> > http://password.incleartext.com/
>>>
>>> >
>>> > Cheers,
>>> > Inc Leartext_______________________________________________
>>> > Full-Disclosure - We believe in it.
>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
>
>
> --
> FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
> http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
> http://pastebin.com/f6fd606da
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/