So let's say I store password using PGP for *recovery*, encrypted with my own keys as sender and recipient , I can recover plaintext passwords whenever I want to, but is it unsecure ? As long as it handled somewhere else I don't feel it as being unsafe. Where am I wrong ?
Rgds, -Romain On Wed, Apr 6, 2011 at 9:30 PM, T Biehn <[email protected]> wrote: > I sent this only to Romain, > Some other posters wanted to know the other scenarios. > > -Travis > > > ---------- Forwarded message ---------- > From: T Biehn <[email protected]> > Date: Wed, Apr 6, 2011 at 10:33 AM > Subject: Re: [Full-disclosure] password.incleartext.com > To: Romain Bourdy <[email protected]> > > > The only scheme where there's a semblance of security is if the decryption > key was stored in memory only. (Provided on startup perhaps?) > > Or the server stores a one way hash of the password for verification, then > the encrypted version, and queues them up on the X for decryption, an admin > grabs the packet and decrypts locally. > > Neither of those schemes are likely to have been implemented on any site, > ever. > > In which case plain-text is equivalent to encrypted text with an easily > recoverable key. > > -Travis > > > On Wed, Apr 6, 2011 at 10:01 AM, Romain Bourdy <[email protected]> wrote: > >> Hi Full-Disclosure, >> >> Just my two cents but ... the fact they can give your password back >> doesn't mean it's stored in cleartext, just that it's not hashed but >> encrypted with some way to get the original data back, this doesn't mean at >> all it's not secured, even though in most case it's not. >> >> -Romain >> >> >> On Wed, Apr 6, 2011 at 1:36 PM, <[email protected]> wrote: >> >>> Kinda plaintextoffenders.com? >>> >>> wbr, >>> - Max >>> >>> [email protected] wrote on 01.04.2011 02:17:24: >>> >>> > Inc leartext <[email protected]> >>> > Sent by: [email protected] >>> > >>> > 01.04.2011 13:14 >>> > >>> > To >>> > >>> > [email protected] >>> > >>> > cc >>> > >>> > Subject >>> > >>> > [Full-disclosure] password.incleartext.com >>> > >>> > Hi FD, >>> > >>> > Just launched a new website to keep a list of websites storing >>> > passwords in clear text, so far the database is small but feel free >>> > to add some: >>> > http://password.incleartext.com/ >>> >>> > >>> > Cheers, >>> > Inc Leartext_______________________________________________ >>> > Full-Disclosure - We believe in it. >>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> > Hosted and sponsored by Secunia - http://secunia.com/ >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > > > -- > FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C > http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on > http://pastebin.com/f6fd606da > > > > -- > FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C > http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on > http://pastebin.com/f6fd606da > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
