Full Disclosure mailing list archives
Re: EasyJet is storing user passwords in the clear
From: Michael Neal Vasquez <mnv () alumni princeton edu>
Date: Thu, 25 Feb 2010 09:31:05 -0700
If I reread your statement, and take it as "70% of people's passwords suck" -- I'd have to agree. I'd say though, for the remaining 30%, algorithm choice, even without salting, can make a difference. My password audits go much quicker when LM is enabled, vs NTLM. Same for MD5 vs SHA1. On Thu, Feb 25, 2010 at 9:07 AM, Dan Kaminsky <dan () doxpara com> wrote:
On Thu, Feb 25, 2010 at 10:39 AM, Michael Neal Vasquez < mnv () alumni princeton edu> wrote:On Thu, Feb 25, 2010 at 8:05 AM, Dan Kaminsky <dan () doxpara com> wrote:Sai, I see where you're coming from, but what are the most recent statistics on the effectiveness of hash cracking? Isn't it something like 70% of the passwords in the field can be cracked with a minimal amount of brute forcing?70% ? Plain MD5 perhaps, but I don't think salted, or sha1, etc, have anywhere near such high success rates.The problem isn't in the algorithm -- it's in the passwords themselves. Salting helps in that the attacker can't amortize the work effort across the entire population, but at the end of the day, even PBKDF2 isn't going to do much against 1234567890 and its ilk. To put it another way, if EasyJet *did* have a breach, they couldn't very well say "It's OK, because the passwords were hashed".
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- EasyJet is storing user passwords in the clear Sai Emrys (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Sai Emrys (Feb 26)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Sai Emrys (Feb 26)