nospam22@private wrote: >Since Earthlink has a lot of novice users, I expect >that they would get a lot of lost password calls. >Perhaps they prefer to tell the user their password >instead of resetting it. > Perhaps they prefer to compromise their user's security to reduce their own operational costs. I'm sure that it would be even more convenient if Earthlink's authenticator demanded a password, and then ignored the result and just let you log in :) > Also, they have likely >rolled their own authentication and password storage >solution, one which apparently uses cleartext >passwords. > Taking a bad security problem (reusable passwords) and making it substantially worse. With crypted passwords, an inside attacker would have to sneak a data file out of the building and run crack against it for a weekend in their basement. With cleartext passwords, an inside attacker can just notice a user browsing financial sites a lot, and steal the password on a postit. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 23:47:19 PDT