E-mailing account information
-
Dalek Dave wrote:
Oh they drive you around looking for nuts!
I wasn't, now I am, then I won't be anymore.
-
Of course it's not, it means they store passwords in plaintext, or with a reversible encryption (which doesn't provide significant additional safety - leak once, leak all). (And of course, they can send it once at sign up time, but not for recovery. Or the laws of physics might change, or quantum computing might turn out to just work.) (But hey, even HBGary didn't much better)
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchymodified on Wednesday, February 23, 2011 11:25 AM
-
Anyone else think its annoying that when you create a account somewhere they mail you your complete account information. I don’t mind that they mail you the information you used to sign up or anything, but do they have to include your password in plain text?
saru mo ki kara ochiru (even monkeys fall from trees) Usualy i'm that monkey. If you want an intelligent answer, Don't ask me. To understand Recursion, you must first understand Recursion.
Not as annoying as slow loading web pages that automatically set focus on the username field causing me to type half of my password in the user name field.
Need custom software developed? I do custom programming based primarily on MS tools with an emphasis on C# development and consulting. I also do Android Programming as I find it a refreshing break from the MS. "And they, since they Were not the one dead, turned to their affairs" -- Robert Frost
-
Of course it's not, it means they store passwords in plaintext, or with a reversible encryption (which doesn't provide significant additional safety - leak once, leak all). (And of course, they can send it once at sign up time, but not for recovery. Or the laws of physics might change, or quantum computing might turn out to just work.) (But hey, even HBGary didn't much better)
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchymodified on Wednesday, February 23, 2011 11:25 AM
peterchen wrote:
it means they store passwords in plaintext.
Not really - it could also be encrypted, but reversibly. The sites that can only 'reset' you password probably store it with an irreversible encryption (through the digital Cuisinart). If it's reversibly encrypted, they can, obviously, decrypt it back to plain-text and mail it to you. The latter, if you're interested, is inherently weak in that gaining access to a database full of these, and some known uid/pwd sets could allow mass decryption. When irreversibly encrypted - it's falls back pretty much to trial-and-error.
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein
"As far as we know, our computer has never had an undetected error." - Weisert
"If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010
-
Of course it's not, it means they store passwords in plaintext, or with a reversible encryption (which doesn't provide significant additional safety - leak once, leak all). (And of course, they can send it once at sign up time, but not for recovery. Or the laws of physics might change, or quantum computing might turn out to just work.) (But hey, even HBGary didn't much better)
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchymodified on Wednesday, February 23, 2011 11:25 AM
How the heck do you come to that conclusion? You don't think they can decrypt the password before they include it in the mail? :doh:
Gotta run; I've got people to do and things to see...
-----
Don't tell my folks I'm a computer programmer - They think I'm a piano player in a cat house...
-----
Da mihi sis crustum Etruscum cum omnibus in eo!
-----
Everybody is ignorant, only on different subjects - Will Rogers, September 7, 1924 -
How the heck do you come to that conclusion? You don't think they can decrypt the password before they include it in the mail? :doh:
Gotta run; I've got people to do and things to see...
-----
Don't tell my folks I'm a computer programmer - They think I'm a piano player in a cat house...
-----
Da mihi sis crustum Etruscum cum omnibus in eo!
-----
Everybody is ignorant, only on different subjects - Will Rogers, September 7, 1924You are right of course, that it could be reversibly encrypted, and I've modified my reply to relect that. However reversible encryption is pointless for password security. When the password is validated, you need the secret and the decryption key - in other words, the plain text. Using reversible encryption reduces the attack points (e.g. you can have a user-key list on one server, and a user-encrypted password list on another), but it doesn't solve the fundamental weakness. Excactly that's the reason for a one-way hash. (Now you still have rainbow tables, and how to store the salt? But that a much higher barrier.)
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy -
peterchen wrote:
it means they store passwords in plaintext.
Not really - it could also be encrypted, but reversibly. The sites that can only 'reset' you password probably store it with an irreversible encryption (through the digital Cuisinart). If it's reversibly encrypted, they can, obviously, decrypt it back to plain-text and mail it to you. The latter, if you're interested, is inherently weak in that gaining access to a database full of these, and some known uid/pwd sets could allow mass decryption. When irreversibly encrypted - it's falls back pretty much to trial-and-error.
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein
"As far as we know, our computer has never had an undetected error." - Weisert
"If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010
Balboos wrote:
The latter, if you're interested, is inherently weak in that gaining access to a database full of these, and some known uid/pwd sets could allow mass decryption.
That's why I equated reversible encryption with "not really better than plain text". See also my reply below[^].
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy -
You are right of course, that it could be reversibly encrypted, and I've modified my reply to relect that. However reversible encryption is pointless for password security. When the password is validated, you need the secret and the decryption key - in other words, the plain text. Using reversible encryption reduces the attack points (e.g. you can have a user-key list on one server, and a user-encrypted password list on another), but it doesn't solve the fundamental weakness. Excactly that's the reason for a one-way hash. (Now you still have rainbow tables, and how to store the salt? But that a much higher barrier.)
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchypeterchen wrote:
how to store the salt?
In a shaker? ;P
Gotta run; I've got people to do and things to see...
-----
Don't tell my folks I'm a computer programmer - They think I'm a piano player in a cat house...
-----
Da mihi sis crustum Etruscum cum omnibus in eo!
-----
Everybody is ignorant, only on different subjects - Will Rogers, September 7, 1924 -
Of course it's not, it means they store passwords in plaintext, or with a reversible encryption (which doesn't provide significant additional safety - leak once, leak all). (And of course, they can send it once at sign up time, but not for recovery. Or the laws of physics might change, or quantum computing might turn out to just work.) (But hey, even HBGary didn't much better)
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchymodified on Wednesday, February 23, 2011 11:25 AM
peterchen wrote:
Of course it's not, it means they store passwords in plaintext, or with a reversible encryption (which doesn't provide significant additional safety - leak once, leak all).
No it doesn't, they can do that even if they store the password in a hash, by inserting the plaintext into the email before disposing the string which your input was initially stored in.
3x12=36 2x12=24 1x12=12 0x12=18
-
peterchen wrote:
how to store the salt?
In a shaker? ;P
Gotta run; I've got people to do and things to see...
-----
Don't tell my folks I'm a computer programmer - They think I'm a piano player in a cat house...
-----
Da mihi sis crustum Etruscum cum omnibus in eo!
-----
Everybody is ignorant, only on different subjects - Will Rogers, September 7, 1924:-D
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy -
peterchen wrote:
Of course it's not, it means they store passwords in plaintext, or with a reversible encryption (which doesn't provide significant additional safety - leak once, leak all).
No it doesn't, they can do that even if they store the password in a hash, by inserting the plaintext into the email before disposing the string which your input was initially stored in.
3x12=36 2x12=24 1x12=12 0x12=18
You are a hard-to-please crowd to day. I've updated the post again.
FILETIME to time_t
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy -
Anyone else think its annoying that when you create a account somewhere they mail you your complete account information. I don’t mind that they mail you the information you used to sign up or anything, but do they have to include your password in plain text?
saru mo ki kara ochiru (even monkeys fall from trees) Usualy i'm that monkey. If you want an intelligent answer, Don't ask me. To understand Recursion, you must first understand Recursion.
-
Not as annoying as slow loading web pages that automatically set focus on the username field causing me to type half of my password in the user name field.
Need custom software developed? I do custom programming based primarily on MS tools with an emphasis on C# development and consulting. I also do Android Programming as I find it a refreshing break from the MS. "And they, since they Were not the one dead, turned to their affairs" -- Robert Frost