Re: gmail security is a joke

[Barry Shein <bzs () world std com>]

On May 27, 2015 at 10:28 bill () herrin us (William Herrin) wrote:
> On Tue, May 26, 2015 at 4:10 PM, Scott Howard <scott () doc net au> wrote:
> > On Tue, May 26, 2015 at 12:28 PM, Aaron C. de Bruyn <aaron () heyaaron com>
> > wrote:
> > > If they can e-mail you your existing password (*cough*Netgear*cough*),
> > > it means they are storing your credentials in the database
> > > un-encrypted.
> >
> > No, it doesn't mean that at all.  It means they are storing it unhashed
> > which is probably what you mean.
>
> Hi Scott,
>
> It means they're storing it in a form that reduces to plain text
> without human intervention. Same difference. Encrypted at rest matters
> not, if all the likely attack vectors go after the data in transit.

It matters a lot. It means their entire username/password collection
can be compromised by various means including by an insider.

The usual practice is to store a hash which cannot be reversed (at
least not without astronomical computation.)

Then when a password is presented (e.g., for login) the hash is
computed on that cleartext password and the hashes are compared.

Getting a copy of the database of hashes and login names is basically
useless to an attacker.

It's not encrypted in this case, it's hashed and only the hash is
stored. The hash cannot be reversed, only compared to a re-hash of the
cleartext password when entered.

The OP was correct, if they can send you your cleartext password then
their security practices are inadequate, period.

Unless I misunderstand what you're saying (I sort of hope I do) this
is Security 101.

-- 
        -Barry Shein

The World              | bzs () TheWorld com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*