On 17 September 2010 17:15, Samuel Lai <[email protected]> wrote: > > > Sent from my iPhone > > On 17/09/2010, at 4:28 PM, mike smith <[email protected]> wrote: > > On 17 September 2010 14:24, silky < <[email protected]> > [email protected]> wrote: > >> On Tue, Sep 14, 2010 at 10:26 AM, silky < <[email protected]> >> [email protected]> wrote: >> >> [...] >> >> >> The cookie might have the hashed result of an SSN. Shouldn't, but >> might. >> > >> > I don't think it's hashing that is at risk (they mention AES). I think >> > the attack is that you can prepare an invalid encrypted message, and >> > brute-force-ish ask <http://ASP.NET>ASP.NET to decrypt it, and based on >> it's answers >> > you can get closer to getting the key that the other .NET process is >> > using. So, assuming this is so, you should never report a >> > cryptographic failure (though, it's still implied, because you don't >> > get what you want, so ...). But then again, I know nothing of the >> > attack and I'm not an expert, this is just my guess. >> > >> > The moral is probably to not forget that bruteforce-style attacks are >> > still legitimate. >> >> Details: >> <http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/> >> http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/ >> (different tool but probably similar approach). >> >> >From there it seems that we can conclude what we thought initially: do >> not send back .net exceptions for cryptography errors (always >> something generic like "invalid username/password combination"). >> >> > And if you have a "forgot password" don't say whether the email address you > enter succeeds or fails. So many fail at this step. > > > That isn't very practical though. How long should the user be expected to > wait for the password reset email to arrive? I often can't remember if I > have registered on a website, particularly if it was only to get access to > something. > > Probably it should use the username to return the pw to your email. But that's not a perfect solution, either.
> Also, what happens when a user tries to register with an email address that > has already been used? System error? > I find the multiplicity of sites that expect me to register with user/pw rather annoying. I'd sooner more used something like openid - it means I can use a strong password, and not have to remember multiple pws. ANd be able to change it once, change it everywhere. > > Personally, I'll settle for never seeing my current password being sent to > me in clear text again for whatever reason. Mailman, I'm looking at you, > among others. > > > >> Also, a general throttling/blocking of repeated invalid attemps >> (perhaps somewhat-exponentially slowed as n increases) is appropriate >> (there are other risks associated with doing this; i.e. inconvenience >> for users via a DoS style attack on accounts, but you can at least >> consider it and other similar approaches). >> >> -- >> silky >> >> <http://dnoondt.wordpress.com/>http://dnoondt.wordpress.com/ >> >> "Every morning when I wake up, I experience an exquisite joy — the joy >> of being this signature." >> > > > > -- > Meski > > "Going to Starbucks for coffee is like going to prison for sex. Sure, > you'll get it, but it's going to be rough" - Adam Hills > > -- Meski "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll get it, but it's going to be rough" - Adam Hills
