Storing passwords in a recoverable format

From OWASP
Revision as of 14:28, 10 July 2007 by Xc7R5f (Talk | contribs)

Jump to: navigation, search

levitra online cheap diethylpropion cheap propecia cheap zanaflex cool ringtones cheap paxil free sprint ringtones free free ringtones flexeril online lortab online free samsung ringtones free sonyericsson ringtones order cyclobenzaprine punk ringtones free qwest ringtones cheap vicodin free qwest ringtones free kyocera ringtones cyclobenzaprine online jazz ringtones order clomid xanax online free tracfone ringtones flexeril free midi ringtones cheap ultram sony ericsson ringtones wwe ringtones real ringtones nokia ringtones free punk ringtones free funny ringtones free cool ringtones free funny ringtones cheap didrex paxil online online lorazepam free mtv ringtones buy alprazolam cheap pharmacy online free sony ringtones free ringtones vigrx online free polyphonic ringtones free mp3 ringtones polyphonic ringtones polyphonic ringtones tramadol online cheap adipex ultracet cheap viagra diazepam online cheap zoloft but vigrx cheap lisinopril cheap pharmacy online celexa online sprint ringtones clonazepam online levitra but sildenafil cheap vicodin online xanax valium online cheap pharmacy online cheap sildenafil cheap wellbutrin order adipex cheap vicodin free wwe ringtones free alltel ringtones verizon ringtones midi ringtones buy prozac cheap lipitor sony ericsson ringtones free sony ringtones cheap albuterol viagra online carisoprodol online free sony ericsson ringtones cheap propecia nexium online lorazepam online cheap flexeril free tracfone ringtones clomid online paxil online free motorola ringtones zyban online free qwest ringtones free nextel ringtones clonazepam online free music ringtones cheap tramadol soma online cyclobenzaprine online tramadol online ativan online buy adipex nexium online clonazepam online hgh online tenuate online zoloft free midi ringtones order alprazolam ambien online sony ericsson ringtones lisinopril online free midi ringtones carisoprodol online nokia ringtones free funny ringtones didrex online hgh online cheap didrex sony ringtones ultram online buy hgh ericsson ringtones fioricet online cialis order flexeril cheap carisoprodol free real ringtones hoodia online ambien cheap lipitor free online pharmacy free free ringtones buy zanaflex phentermine online buy diethylpropion buy soma sprint ringtones diazepam online free sharp ringtones cheap hydrocodone online adipex buy xanax clomid online free tracfone ringtones free sharp ringtones lisinopril wellbutrin online kyocera ringtones free motorola ringtones phentermine online buy zoloft cheap carisoprodol alprazolam online cheap diethylpropion nokia ringtones albuterol online free funny ringtones valium online buy tramadol fioricet online cheap viagra samsung ringtones mtv ringtones norco online free music ringtones buy ativan cheap tenuate lipitor online ericsson ringtones soma online cheap ambien order rivotril cialis online tramadol online free ericsson ringtones mtv ringtones cheap propecia free jazz ringtones kyocera ringtones viagra online but norco alltel ringtones buy zanaflex free motorola ringtones viagra online cheap lortab music ringtones free mp3 ringtones albuterol online buy clonazepam ambien online xenical online real ringtones nexium online wellbutrin free sonyericsson ringtones cheap celexa diazepam online free nextel ringtones soma online free mp3 ringtones

Overview

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. If a system administrator can recover the password directly - or use a brute force search on the information available to him -, he can use the password on other accounts.

Consequences

  • Confidentiality: User's passwords may be revealed.
  • Authentication: Revealed passwords may be reused elsewhere to impersonate the users in question.

Exposure period

  • Design: The method of password storage and use is often decided at design time.
  • Implementation: In some cases, the decision of algorithms for password encryption or hashing may be left to the implementers.

Platform

  • Languages: All
  • Operating platforms: All

Required resources

Access to read stored password hashes

Severity

Medium to High

Likelihood of exploit

Very High

Avoidance and mitigation

  • Design / Implementation: Ensure that strong, non-reversible encryption is used to protect stored passwords.

Discussion

The use of recoverable passwords significantly increases the chance that passwords will be used maliciously. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plain-text passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders.

Examples

In C\C  :

int VerifyAdmin(char *password) {
 
  if (strcmp(compress(password), compressed_password)) {
    printf("Incorrect Password!\n");
    return(0)
  }

  printf("Entering Diagnostic Mode�\n");
  return(1);
}

In Java:

int VerifyAdmin(String password) {
  
  if (passwd.Eqauls(compress((compressed_password)) {
    return()0)
  }
//Diagnostic Mode
  return(1);
}

Related problems