funsec mailing list archives
Does Monster.Com Stores Passwords in the Clear?
From: Jon Kibler <Jon.Kibler () aset com>
Date: Sat, 24 Jan 2009 15:00:26 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, In case you missed it, monster.com (the big jobs board) admitted that they got hacked recently: http://help.monster.com/besafe/jobseeker/index.asp - From the admission that they lost passwords, I would have to presume that: -- they stored passwords in the clear, or -- they used a very weak password hash (e.g., not blowfish), or -- they have no password complexity enforcement mechanism, or -- some combination of the above. My bet, they store passwords in the clear. I have simply seen it too many times. When are companies going to learn? (Obviously either "never" or "when regulators [or lawyers] force them to learn".) If Monster had good password security, they would not care that their password were revealed to the public. It would also be interesting to find out just how they got hacked. My $0.02 worth. JonK - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkl7c1kACgkQUVxQRc85QlO42QCaAjNrAFZgOiVMNECLfHP27Buz fUwAn3yfvmWb5L+QnxihXtzNbyOVVdsb =AGtR -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Does Monster.Com Stores Passwords in the Clear? Jon Kibler (Jan 24)
- Re: Does Monster.Com Stores Passwords in the Clear? nick hatch (Jan 24)
- Re: Does Monster.Com Stores Passwords in the Clear? Rich Kulawiec (Jan 24)