On Mon, 09 May 2011 19:12:52 +0200, [email protected] said: > How is this a "terribly mistake"?
Which is stronger, a password made of 16 characters chosen from the 256-character set 0x0..0xff, or 16 characters chosen from the 62-character set [A-Za-z0-9]? Of course, the fact it's a magic string at all is even more egregious. > If people use the "Site > Security > Set password" then this program can't > decrypt the "sites". And I want a pony. Hint: If you use "set password" where does it get stored? And is it just a case of "it's still an XOR and easily undone, just with a string you have to fetch rather than a fixed string"? A case can be made that this: SITEPASS1="xor-ed bit mess" SITEPASS2="another xor-ed mess" MAGICPASS="string the user entered" is even *easier* for an attacker to deal with than having to crowbar the magic string out of the Flash FPX binary.
pgpMlhkzpPWDF.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
