Does Monster.Com Stores Passwords in the Clear?

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

In case you missed it, monster.com (the big jobs board) admitted that
they got hacked recently:

        http://help.monster.com/besafe/jobseeker/index.asp

- From the admission that they lost passwords, I would have to presume that:
   -- they stored passwords in the clear, or
   -- they used a very weak password hash (e.g., not blowfish), or
   -- they have no password complexity enforcement mechanism, or
   -- some combination of the above.

My bet, they store passwords in the clear. I have simply seen it too
many times. When are companies going to learn? (Obviously either "never"
or "when regulators [or lawyers] force them to learn".)

If Monster had good password security, they would not care that their
password were revealed to the public.

It would also be interesting to find out just how they got hacked.

My $0.02 worth.

JonK
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkl7c1kACgkQUVxQRc85QlO42QCaAjNrAFZgOiVMNECLfHP27Buz
fUwAn3yfvmWb5L+QnxihXtzNbyOVVdsb
=AGtR
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.