Re: [Full-disclosure]

I can see how it can be stored securely, but how would distribution
after recovery be accomplished?

In an envelope? Or by sending me a one-time random https-link where I
can retrieve it myself? Sounds like more trouble compared to what can be
gained from it. Wouldn't it be just as easy to send a one time password
that needs to be changed... Too impracitcal to be implemented in a
real-world situation...

This is probably why I still wouldn't hesitate to say that it is
insecure if it is in clear text. Even though I must give you credit for
having shown a way to do it. ;-)

I am sure someone will come and beat me with saying that they already
did this. :-p Ppl do all sorts of crazy stuff just because they can...

Thor (Hammer of God) skrev 2011-04-07 06:27:

One way to handle this would be to take the password on signup and
both hash it and encrypt it with the recovery key's public key in 2
separate fields (a hash field and an encrypted field). That way
you've always got a hash of it for validation even if you lose the
keys. Of course, you could still always re-encrypt it to see if the
two values matched, but I would probably continue to use the hash for
logon validation.

The private key would be stored on a completely separate
machine/instance which was only used for recovery purposes. There
could be any number of ways to validate the actual recovery request,
but that way you separate out the encrypted data from any on-machine
ability to decrypt it. I wouldn't have the private key in memory on
the same box because that makes it trivial to decrypt, but of course
it all depends on what problem we are trying to solve.


*From:*Cal Leeming [mailto:cal@xxxxxxxxxxxxxxxx]
*Sent:* Wednesday, April 06, 2011 11:58 AM
*To:* Peter Osterberg
*Cc:* Thor (Hammer of God); Mario Vilas; Romain Bourdy;
full-disclosure; Inc leartext
*Subject:* Re: [Full-disclosure]

Tbh, I'd be unhappy about any company storing a password in anything
other than a hash of itself. But, like many things in life, we have
absolutely no control over it, so best to just use a new pass for
every external service :)

On Wed, Apr 6, 2011 at 7:48 PM, Peter Osterberg <j@xxxxxx
<mailto:j@xxxxxx>> wrote:

Security is relative and the pwd might be handled in a secure enough
fashion compared to the value of the information it is protecting,
even though it is stored in a reversable fashion. But I wouldn't,
generally speaking, hesitate to claim that it isn't stored securely if
it is reversable.

Could you givd an example?

----- Ursprungsmeddelande -----

This isn't necessarily true - without knowledge of how the data may be
encrypted and what processes are involved in decrypting the data, one
can't make the "it isn't secure" statement.

That being said, it is probably safe to argue that sites that do not
require PCI, SOX, HIPPA, etc would be less inclined to engage in this
level of security. But that doesn't mean that it is not being done.


From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Mario
Vilas Sent: Wednesday, April 06, 2011 9:05 AM To: Romain Bourdy
Cc: full-disclosure; Inc leartext
Subject: Re: [Full-disclosure]

Actually, if they can get the data back (be it because it's stored in
plaintext or in obfuscated plaintext) then it's not secure. Obfuscation
doesn't make it more secure, or any less plaintext. On Wed, Apr 6, 2011
at 11:01 AM, Romain Bourdy

<mailto:achileos@xxxxxxxxx><mailto:achileos@xxxxxxxxx>> wrote: Hi


Just my two cents but ... the fact they can give your password back
doesn't mean it's stored in cleartext, just that it's not hashed but
encrypted with some way to get the original data back, this doesn't
at all it's not secured, even though in most case it's not.


On Wed, Apr 6, 2011 at 1:36 PM,

wrote: Kinda

- Max


wrote on 01.04.2011 02:17:24:

Inc leartext <staff@xxxxxxxxxxxxxxx
Sent by:

01.04.2011 13:14






Hi FD,

Just launched a new website to keep a list of websites storing
passwords in clear text, so far the database is small but feel free
to add some:

Inc Leartext_______________________________________________
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

"My daughter was asked by a little old lady in a London hotel
what her daddy did - she answered, 'He's a pirate.' I was very proud of
that answer." - Johnny Depp

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -