Re: Secure Yahoo logins

From: Roland Postle (mail@blazde.co.uk)
Date: 08/28/02

• Previous message: Jeremy: "Secure Yahoo logins"
• In reply to: Jeremy: "Secure Yahoo logins"
• Next in thread: David Schwartz: "Re: Secure Yahoo logins"
• Next in thread: John Madden: "Re: Secure Yahoo logins"
• Reply: David Schwartz: "Re: Secure Yahoo logins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Roland Postle" <mail@blazde.co.uk>
To: "vuln-dev@securityfocus.com" <vuln-dev@securityfocus.com>, "Jeremy" <prrthd@myrealbox.com>
Date: Wed, 28 Aug 2002 00:47:34 +0100

The password is hashed with a nonce (a random, one use, string called
challenge). Here's the javascript straight from the login page:

      var passwd = form.passwd.value;
      var hash1 = MD5(form.passwd.value);
      var challenge = form[".challenge"].value;
      var hash2 = MD5(form.passwd.value) + challenge;
      var hash;
      if(form.passwd.value){
        hash=MD5(hash2);
      } else {
        hash="";
      }

And the challenge is quite long,

<input type=hidden name=".challenge"
value="zpUHXfMLl._2u4tfNw8fBdAKYtkM" >

Thus even if you can watch the traffic both ways you can only break the
password by doing some kind of brute force dictionary search. That
would probably show up a few insecure passwords (if you have a largish
company), but that's not really the fault of the login procedure.

> My other question is if the passwords are encrypted why do they offer a secure login
> option? How does that increase security, other than adding a brief ssl session.

Because it encrypts your username too? Honestly I don't know. Most
browsers apply stricter security to secure pages, ie they won't be
cached locally etc... That could be it. The passwords coulnd't be brute
forced locally either.

- Blazde

---

• Previous message: Jeremy: "Secure Yahoo logins"
• In reply to: Jeremy: "Secure Yahoo logins"
• Next in thread: David Schwartz: "Re: Secure Yahoo logins"
• Next in thread: John Madden: "Re: Secure Yahoo logins"
• Reply: David Schwartz: "Re: Secure Yahoo logins"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: questions on setting up a mail server ... standard method built in to the protocol) require Cyrus SASL. ... use your existing user passwords. ... passwords held in plain text - the sasldb. ... PLAIN is the preferred protocol according to the docs and RFCs - LOGIN is ... (freebsd-questions) Re: Unable to type password at welcome screen ... vertical login cursor ceases to exist. ... just users restart their PC's in order to fix it; ... never be able to remember their user name, much less their passwords. ... (microsoft.public.windowsxp.general) Re: Unable to type password at welcome screen ... Windows security update kb923191 causes the problem. ... vertical login cursor ceases to exist. ... never be able to remember their user name, much less their passwords. ... (microsoft.public.windowsxp.general) Re: where to open emails ... If you use a public computer, you need to be careful about ... your login and passwords being trapped. ... I dont know much ... (microsoft.public.security.virus) Re: Unable to type password at welcome screen ... I've gone back to using the vanilla login on the remote machine I access via ... just users restart their PC's in order to fix it; ... never be able to remember their user name, much less their passwords. ... classic login box as a work around. ... (microsoft.public.windowsxp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2002-08