Re: CRIME ISP Password Security Practices at Earthlink

From: Crispin Cowan (crispin@private)
Date: Tue Jun 11 2002 - 22:40:44 PDT

  • Next message: Steve Beattie: "Re: CRIME ISP Password Security Practices at Earthlink"

    nospam22@private wrote:
    
    >Since Earthlink has a lot of novice users, I expect
    >that they would get a lot of lost password calls. 
    >Perhaps they prefer to tell the user their password
    >instead of resetting it.
    >
    Perhaps they prefer to compromise their user's security to reduce their 
    own operational costs. I'm sure that it would be even more convenient if 
    Earthlink's authenticator demanded a password, and then ignored the 
    result and just let you log in :)
    
    >  Also, they have likely
    >rolled their own authentication and password storage
    >solution, one which apparently uses cleartext
    >passwords.
    >
    Taking a bad security problem (reusable passwords) and making it 
    substantially worse. With crypted passwords, an inside attacker would 
    have to sneak a data file out of the building and run crack against it 
    for a weekend in their basement. With cleartext passwords, an inside 
    attacker can just notice a user browsing financial sites a lot, and 
    steal the password on a postit.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 23:47:19 PDT