[Full-disclosure] EasyJet is storing user passwords in the clear
Dan Kaminsky
dan at doxpara.com
Thu Feb 25 16:07:37 GMT 2010
On Thu, Feb 25, 2010 at 10:39 AM, Michael Neal Vasquez <
mnv at alumni.princeton.edu> wrote:
> On Thu, Feb 25, 2010 at 8:05 AM, Dan Kaminsky <dan at doxpara.com> wrote:
>
>> Sai,
>>
>> I see where you're coming from, but what are the most recent statistics
>> on the effectiveness of hash cracking? Isn't it something like 70% of the
>> passwords in the field can be cracked with a minimal amount of brute
>> forcing?
>>
>>
>
> 70% ?
>
> Plain MD5 perhaps, but I don't think salted, or sha1, etc, have anywhere
> near such high success rates.
>
The problem isn't in the algorithm -- it's in the passwords themselves.
Salting helps in that the attacker can't amortize the work effort across the
entire population, but at the end of the day, even PBKDF2 isn't going to do
much against 1234567890 and its ilk.
To put it another way, if EasyJet *did* have a breach, they couldn't very
well say "It's OK, because the passwords were hashed".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20100225/1d67efa6/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.