I sent this only to Romain, Some other posters wanted to know the other scenarios.
-Travis ---------- Forwarded message ---------- From: T Biehn <[email protected]> Date: Wed, Apr 6, 2011 at 10:33 AM Subject: Re: [Full-disclosure] password.incleartext.com To: Romain Bourdy <[email protected]> The only scheme where there's a semblance of security is if the decryption key was stored in memory only. (Provided on startup perhaps?) Or the server stores a one way hash of the password for verification, then the encrypted version, and queues them up on the X for decryption, an admin grabs the packet and decrypts locally. Neither of those schemes are likely to have been implemented on any site, ever. In which case plain-text is equivalent to encrypted text with an easily recoverable key. -Travis On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <[email protected]> wrote: > Hi Full-Disclosure, > > Just my two cents but ... the fact they can give your password back doesn't > mean it's stored in cleartext, just that it's not hashed but encrypted with > some way to get the original data back, this doesn't mean at all it's not > secured, even though in most case it's not. > > -Romain > > > On Wed, Apr 6, 2011 at 1:36 PM, <[email protected]> wrote: > >> Kinda plaintextoffenders.com? >> >> wbr, >> - Max >> >> [email protected] wrote on 01.04.2011 02:17:24: >> >> > Inc leartext <[email protected]> >> > Sent by: [email protected] >> > >> > 01.04.2011 13:14 >> > >> > To >> > >> > [email protected] >> > >> > cc >> > >> > Subject >> > >> > [Full-disclosure] password.incleartext.com >> > >> > Hi FD, >> > >> > Just launched a new website to keep a list of websites storing >> > passwords in clear text, so far the database is small but feel free >> > to add some: >> > http://password.incleartext.com/ >> >> > >> > Cheers, >> > Inc Leartext_______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
