Re: EasyJet is storing user passwords in the clear

[Dan Kaminsky <dan () doxpara com>]

On Thu, Feb 25, 2010 at 10:39 AM, Michael Neal Vasquez <
mnv () alumni princeton edu> wrote:

> On Thu, Feb 25, 2010 at 8:05 AM, Dan Kaminsky <dan () doxpara com> wrote:
>
> > Sai,
> >
> >    I see where you're coming from, but what are the most recent statistics
> > on the effectiveness of hash cracking?  Isn't it something like 70% of the
> > passwords in the field can be cracked with a minimal amount of brute
> > forcing?
>
> 70% ?
>
> Plain MD5 perhaps, but I don't think salted, or sha1, etc, have anywhere
> near such high success rates.

The problem isn't in the algorithm -- it's in the passwords themselves.
Salting helps in that the attacker can't amortize the work effort across the
entire population, but at the end of the day, even PBKDF2 isn't going to do
much against 1234567890 and its ilk.

To put it another way, if EasyJet *did* have a breach, they couldn't very
well say "It's OK, because the passwords were hashed".

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/