On 17 September 2010 17:15, Samuel Lai <[email protected]> wrote:

>
>
> Sent from my iPhone
>
> On 17/09/2010, at 4:28 PM, mike smith <[email protected]> wrote:
>
> On 17 September 2010 14:24, silky < <[email protected]>
> [email protected]> wrote:
>
>> On Tue, Sep 14, 2010 at 10:26 AM, silky < <[email protected]>
>> [email protected]> wrote:
>>
>> [...]
>>
>> >> The cookie might have the hashed result of an SSN.  Shouldn't, but
>> might.
>> >
>> > I don't think it's hashing that is at risk (they mention AES). I think
>> > the attack is that you can prepare an invalid encrypted message, and
>> > brute-force-ish ask <http://ASP.NET>ASP.NET to decrypt it, and based on
>> it's answers
>> > you can get closer to getting the key that the other .NET process is
>> > using. So, assuming this is so, you should never report a
>> > cryptographic failure (though, it's still implied, because you don't
>> > get what you want, so ...). But then again, I know nothing of the
>> > attack and I'm not an expert, this is just my guess.
>> >
>> > The moral is probably to not forget that bruteforce-style attacks are
>> > still legitimate.
>>
>> Details:
>> <http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/>
>> http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
>> (different tool but probably similar approach).
>>
>> >From there it seems that we can conclude what we thought initially: do
>> not send back .net exceptions for cryptography errors (always
>> something generic like "invalid username/password combination").
>>
>>
> And if you have a "forgot password" don't say whether the email address you
> enter succeeds or fails.  So many fail at this step.
>
>
> That isn't very practical though. How long should the user be expected to
> wait for the password reset email to arrive? I often can't remember if I
> have registered on a website, particularly if it was only to get access to
> something.
>
>
Probably it should use the username to return the pw to your email.  But
that's not a perfect solution, either.


> Also, what happens when a user tries to register with an email address that
> has already been used? System error?
>

I find the multiplicity of sites that expect me to register with user/pw
rather annoying.  I'd sooner more used something like openid - it means I
can use a strong password, and not have to remember multiple pws.  ANd be
able to change it once, change it everywhere.




>
> Personally, I'll settle for never seeing my current password being sent to
> me in clear text again for whatever reason. Mailman, I'm looking at you,
> among others.
>
>
>
>> Also, a general throttling/blocking of repeated invalid attemps
>> (perhaps somewhat-exponentially slowed as n increases)  is appropriate
>> (there are other risks associated with doing this; i.e. inconvenience
>> for users via a DoS style attack on accounts, but you can at least
>> consider it and other similar approaches).
>>
>> --
>> silky
>>
>>  <http://dnoondt.wordpress.com/>http://dnoondt.wordpress.com/
>>
>> "Every morning when I wake up, I experience an exquisite joy — the joy
>> of being this signature."
>>
>
>
>
> --
> Meski
>
> "Going to Starbucks for coffee is like going to prison for sex. Sure,
> you'll get it, but it's going to be rough" - Adam Hills
>
>


-- 
Meski

"Going to Starbucks for coffee is like going to prison for sex. Sure, you'll
get it, but it's going to be rough" - Adam Hills

Reply via email to