Re: [Full-disclosure] New Tool - Flashfxp Password Decryptor Released !

[Valdis.Kletnieks () vt edu]

On Mon, 09 May 2011 19:12:52 +0200, Nicolai () nxtgn org said:

> How is this a "terribly mistake"?

Which is stronger, a password made of 16 characters chosen
from the 256-character set 0x0..0xff, or 16 characters chosen
from the 62-character set [A-Za-z0-9]?

Of course, the fact it's a magic string at all is even more egregious.

> If people use the "Site > Security > Set password" then this program can't decrypt the "sites".

And I want a pony.

Hint:  If you use "set password" where does it get stored?  And is it just a
case of "it's still an XOR and easily undone, just with a string you have to
fetch rather than a fixed string"?

A case can be made that this:

SITEPASS1="xor-ed bit mess"
SITEPASS2="another xor-ed mess"
MAGICPASS="string the user entered"

is even *easier* for an attacker to deal with than having to crowbar the
magic string out of the Flash FPX binary.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/