Full Disclosure mailing list archives
Re: EasyJet is storing user passwords in the clear
From: Dan Kaminsky <dan () doxpara com>
Date: Thu, 25 Feb 2010 17:57:59 -0500
On Feb 25, 2010, at 5:44 PM, Sai Emrys <sai () saizai com> wrote:
Dan -I see where you're coming from, but what are the most recent statistics on the effectiveness of hash cracking? Isn't it something like 70% of the passwords in the field can be cracked with a minimal amount of brute forcing?Of course this depends on what you mean by "minimal". http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf claims 20% success with a 5k dictionary based on the RockYou password db. Presumably this would be at least somewhat worse with an unknown db, since their results are from post hoc knowledge.
That's 20% with a work effort of effectively 0 per password with a single dictionary. Spend a few minutes of brute force on each pass and the success rate grows.
There are best practices, and there are vulnerabilities. I don't think anybody's going to argue it's not best practice to store hashes rather than plaintext, but lets not delude ourselves regarding their effectiveness.Fair enough. As I wrote in a comment on my blog post, the vulnerability here is not that EasyJet data would be compromised - if this is relevant, that's already happened - but that it would lead to easy escalation of the compromise. Not every vulnerability disclosure is on the level of structural DNS issues. ;-) I think that this is at about the level of finding a blind SQL injection hole.
A SQL Injection hole *is* the compromise. This says, given the compromise, the work effort is somewhat lower than it might be. The dependency chain is clear. There is actually something interesting about this work, in that it's a really good illustration of the difference between what you can legally look for in web apps vs. binaries that sit on a machine that you own. You hit Forgot My Password, and in doing nothing illicit, nothing unusual, you learn a deep detail about the backend implementation -- that it stores plaintext passwords. That's good to know, but with the exception of situations where SQL is in the URI, we don't get to look for the really scary stuff. At least, not in a legally safe manner.
Is it an awesome new hack? Hardly. Is it incompetent of EasyJet, given that it's a large company with a lot of users' data? Yes.
The point I'm making is that they could do better, but not that much better. Auth is broken, we need to get past passwords, etc.
Thanks, - Sai
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- EasyJet is storing user passwords in the clear Sai Emrys (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Michael Neal Vasquez (Feb 25)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Sai Emrys (Feb 26)
- Re: EasyJet is storing user passwords in the clear Dan Kaminsky (Feb 25)
- Re: EasyJet is storing user passwords in the clear Sai Emrys (Feb 26)