Vulnerability Development mailing list archives
Re: Secure Yahoo logins
From: "Roland Postle" <mail () blazde co uk>
Date: Wed, 28 Aug 2002 00:47:34 +0100
The password is hashed with a nonce (a random, one use, string called challenge). Here's the javascript straight from the login page: var passwd = form.passwd.value; var hash1 = MD5(form.passwd.value); var challenge = form[".challenge"].value; var hash2 = MD5(form.passwd.value) + challenge; var hash; if(form.passwd.value){ hash=MD5(hash2); } else { hash=""; } And the challenge is quite long, <input type=hidden name=".challenge" value="zpUHXfMLl._2u4tfNw8fBdAKYtkM" > Thus even if you can watch the traffic both ways you can only break the password by doing some kind of brute force dictionary search. That would probably show up a few insecure passwords (if you have a largish company), but that's not really the fault of the login procedure.
My other question is if the passwords are encrypted why do they offer a secure login option? How does that increase security, other than adding a brief ssl session.
Because it encrypts your username too? Honestly I don't know. Most browsers apply stricter security to secure pages, ie they won't be cached locally etc... That could be it. The passwords coulnd't be brute forced locally either. - Blazde
Current thread:
- Secure Yahoo logins Jeremy (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- Re: Secure Yahoo logins David Schwartz (Aug 27)
- Re: Secure Yahoo logins John Madden (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 28)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 27)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Nick Jacobsen (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 28)
- Re: Secure Yahoo logins Steve Bremer (Aug 28)
- Re: Secure Yahoo logins David Thiel (Aug 27)
- Re: Secure Yahoo logins Roland Postle (Aug 27)
- <Possible follow-ups>
- Re: Secure Yahoo logins Alan McCaig (Aug 28)
- Re: Secure Yahoo logins Chris Caydes (Aug 28)