Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Huh. So for this to work I guess that means either:
1. Hotmail has been silently truncating passwords to 16 characters before hashing all along.
or 2. They've got the passwords stored in plaintext somewhere.
Which do we think is more likely?
Security quotes of the week
Posted Sep 27, 2012 20:16 UTC (Thu) by tx (subscriber, #81224)
Posted Oct 9, 2012 18:02 UTC (Tue) by elanthis (guest, #6227)
At the end of the day, 99% of programmers suck at their job, and those folks have landed jobs at just about every tech company on the planet, big and small. Not much to do besides shake you head and move on with life.
... and remember to use different passwords for different sites/services.
Posted Oct 11, 2012 10:38 UTC (Thu) by nix (subscriber, #2304)
(The rewrite pulled strong random numbers out of /dev/random and wrote them to a mode 0600 file in ~, then used that as the key. I pointed out that this was as secure as we could make it without external key storage on a more secure medium or a requirement for users to type in passphrases, but that the security of the whole system was still no better than the security of the random key file, rendering all the password-protection pointless since we could just have stored the passwords unencrypted in the users' home directories mode 0600 and got exactly the same level of security. But, no, the spec said encryption so encryption we must have.)
Posted Oct 11, 2012 15:43 UTC (Thu) by raven667 (subscriber, #5198)
It was clear and understood by the QSA and management that this only prevented accidental disclosure due to shoulder surfing, printing or copying of config files and would not prevent disclosure to anyone with access to the host. That was fine and understood to be the risk, obfuscating sensitive config values turned out not to be that big a deal in practice.
Posted Oct 11, 2012 18:58 UTC (Thu) by nix (subscriber, #2304)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds