Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: password.incleartext.com

From: T Biehn <tbiehn () gmail com>
Date: Wed, 6 Apr 2011 15:30:34 -0400
I sent this only to Romain,
Some other posters wanted to know the other scenarios.

-Travis

---------- Forwarded message ----------
From: T Biehn <tbiehn () gmail com>
Date: Wed, Apr 6, 2011 at 10:33 AM
Subject: Re: [Full-disclosure] password.incleartext.com
To: Romain Bourdy <achileos () gmail com>


The only scheme where there's a semblance of security is if the decryption
key was stored in memory only. (Provided on startup perhaps?)

Or the server stores a one way hash of the password for verification, then
the encrypted version, and queues them up on the X for decryption, an admin
grabs the packet and decrypts locally.

Neither of those schemes are likely to have been implemented on any site,
ever.

In which case plain-text is equivalent to encrypted text with an easily
recoverable key.

-Travis


On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <achileos () gmail com> wrote:


Hi Full-Disclosure,

Just my two cents but ... the fact they can give your password back doesn't
mean it's stored in cleartext, just that it's not hashed but encrypted with
some way to get the original data back, this doesn't mean at all it's not
secured, even though in most case it's not.

 -Romain


On Wed, Apr 6, 2011 at 1:36 PM, <Maksim.Filenko () fuib com> wrote:


Kinda plaintextoffenders.com?

wbr,
 - Max

full-disclosure-bounces () lists grok org uk wrote on 01.04.2011 02:17:24:


Inc leartext <staff () incleartext com>
Sent by: full-disclosure-bounces () lists grok org uk

01.04.2011 13:14

To

full-disclosure () lists grok org uk

cc

Subject

[Full-disclosure] password.incleartext.com

Hi FD,

Just launched a new website to keep a list of websites storing
passwords in clear text, so far the database is small but feel free
to add some:
    http://password.incleartext.com/




Cheers,
Inc Leartext_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da



-- 
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: