The story of website password generators

Syndicate

Projects

mirrored Conference materials

BinVis

Git projects

Shared notes

Search

Flattr

If you like this, you can use flattr. ;)

Imprint

About
eMail: wishinet at gmail . com
PGP ID: 0xCCCA5E74

Jabber: wishi@jabber.ccc.de

Tags for this post

IT Sec

Similar entries

Recent blog posts

wishinet: checking out GDB with Dtrace support for OS X... (1.9.2). Should be interesting.
wishinet: RT @bfoo: Worth reading: http://merbist.com/2010/08/22/discussion-with-a-java-switcher/
wishinet: nächstes Jahr Taikai in Nürnberg (http://www.taikai.de/) - und nu aus Nürnberg total groggy in die Falle! ;)

Links

UnprotectedHex - about formal software verification
Sean's blog

Xecurity - a security feed collecter
Reddit RCE group

Freedom To Tinker
Emergent Chaos

Woodmann RCE forums
OpenRCE community forums

SecViz - security data visualization
DAVIX Live - for security metrics
Hex Live
Security Metrics

Immunity's Free Software
Core Security's OpenSouce research
Zynamics Blog

Centralops
Serversniff

The story of website password generators

Tue, 08/04/2009 - 18:52 | wishi

txt

That's a good PW generator. There're others.

A lesson learned

A lesson a co-worker, Bob, learned recently was: never trust. He's a security minded and competent administrator and specialized at security. However - something we have in common: lazy.

When Bob recently created a bunch of new passwords, he used a website, created an account, and what's very convenient: all the generated passwords are stored in a table. He added some usernames and used the website a while. There're password recovery functions. A real work-saver, however the setup is not local and does not belong to the company.

Yes, the web-site owner is storing the passwords and he was using them. And no, he was not allowed to do so.

Needless to say: FAIL

Even if there aren't obvious features like logins or a password table: website owners can log a lot. These logs can be correlated back with the passwords.

Use a local application, Bob!

wishi

p.s.: the website will not be mentioned for legal reasons.

wishi's blog |

1+[encrypted]+#b94+ |

txt |

Tags: computer crimes, haqs, Web-Apps

Post new comment

Your name:

E-mail:

The content of this field is kept private and will not be shown publicly.

Homepage:

Comment: *

Input format

Filtered HTML

Web page addresses and e-mail addresses turn into links automatically.
Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
Lines and paragraphs break automatically.
You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo].
Information indicating specific htmLawed (X)HTML filter/purifier settings in effect, which may depend on the content-type, will be shown where appropriate.
Twitter-style @usersnames are linked to their Twitter account pages.
Twitter-style #hashtags are linked to search.twitter.com.

Full HTML

Web page addresses and e-mail addresses turn into links automatically.
Lines and paragraphs break automatically.
You can enable syntax highlighting of source code with the following tags: <code>, <blockcode>, <c>, <cpp>, <drupal5>, <drupal6>, <java>, <javascript>, <php>, <python>, <ruby>. The supported tag styles are: <foo>, [foo].
Information indicating specific htmLawed (X)HTML filter/purifier settings in effect, which may depend on the content-type, will be shown where appropriate.

More information about formatting options

CAPTCHA

This question is for testing whether you are a human visitor and to prevent automated spam submissions.

Egglue Powered

crazylazy.info

Syndicate

Projects

Search

Flattr

Imprint

Tags for this post

IT Sec

Similar entries

Recent blog posts

wishi's Twitter

Navigation

Links

The story of website password generators

A lesson learned

Needless to say: FAIL

Post new comment

Save the nature. Don't print this!

Datenerfassung