Full Disclosure mailing list archives
Re: password.incleartext.com
From: Romain Bourdy <achileos () gmail com>
Date: Wed, 6 Apr 2011 22:38:56 +0200
So let's say I store password using PGP for *recovery*, encrypted with my own keys as sender and recipient , I can recover plaintext passwords whenever I want to, but is it unsecure ? As long as it handled somewhere else I don't feel it as being unsafe. Where am I wrong ? Rgds, -Romain On Wed, Apr 6, 2011 at 9:30 PM, T Biehn <tbiehn () gmail com> wrote:
I sent this only to Romain, Some other posters wanted to know the other scenarios. -Travis ---------- Forwarded message ---------- From: T Biehn <tbiehn () gmail com> Date: Wed, Apr 6, 2011 at 10:33 AM Subject: Re: [Full-disclosure] password.incleartext.com To: Romain Bourdy <achileos () gmail com> The only scheme where there's a semblance of security is if the decryption key was stored in memory only. (Provided on startup perhaps?) Or the server stores a one way hash of the password for verification, then the encrypted version, and queues them up on the X for decryption, an admin grabs the packet and decrypts locally. Neither of those schemes are likely to have been implemented on any site, ever. In which case plain-text is equivalent to encrypted text with an easily recoverable key. -Travis On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <achileos () gmail com> wrote:Hi Full-Disclosure, Just my two cents but ... the fact they can give your password back doesn't mean it's stored in cleartext, just that it's not hashed but encrypted with some way to get the original data back, this doesn't mean at all it's not secured, even though in most case it's not. -Romain On Wed, Apr 6, 2011 at 1:36 PM, <Maksim.Filenko () fuib com> wrote:Kinda plaintextoffenders.com? wbr, - Max full-disclosure-bounces () lists grok org uk wrote on 01.04.2011 02:17:24:Inc leartext <staff () incleartext com> Sent by: full-disclosure-bounces () lists grok org uk 01.04.2011 13:14 To full-disclosure () lists grok org uk cc Subject [Full-disclosure] password.incleartext.com Hi FD, Just launched a new website to keep a list of websites storing passwords in clear text, so far the database is small but feel free to add some: http://password.incleartext.com/Cheers, Inc Leartext_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: password.incleartext.com, (continued)
- Re: password.incleartext.com Thor (Hammer of God) (Apr 06)
- Re: password.incleartext.com Peter Osterberg (Apr 06)
- Re: password.incleartext.com Cal Leeming (Apr 07)
- Re: password.incleartext.com Thor (Hammer of God) (Apr 06)
- Re: password.incleartext.com Peter Osterberg (Apr 07)
- Re: password.incleartext.com Inc Leartext (Apr 07)
- Re: password.incleartext.com Cal Leeming (Apr 07)
- Re: password.incleartext.com Valdis . Kletnieks (Apr 07)
- Re: password.incleartext.com Cal Leeming (Apr 07)
- Message not available
- Re: password.incleartext.com T Biehn (Apr 06)
- Re: password.incleartext.com Romain Bourdy (Apr 06)
- Re: password.incleartext.com Valdis . Kletnieks (Apr 06)