[plug] ISPs storing plain-text passwords...

Hook hooker at opera.iinet.net.au
Tue Aug 7 06:30:24 WST 2001


Kim Covil wrote:
>
> > Now, if the systems are connected to the internet, then things start to
get
> > interesting. The passwords are likely stored in a database. To get the
> > passwords out of the database, a cracker must:
> >
> > 1) be able to access the database. This will probably involve breaking
into
> > one of the systems inside the ISP network (not a customer computer).
>
> With worms rife as they are at the moment... This is major issue...
> I would at least prefer that if someone manages to crack into my ISP's
> database and grab the password info, that they would then have to spend
> time trying to brute force crack my password... at the very least it
> would give more time between the ISP being cracked and my accounts being
> cracked...

It's axiomatic that anything stored on a computer is vulnerable at some
point. But there again, so is the same thing stored on a piece of paper (the
sheer volume of paper may help hide it somewhat of course).  So there really
is no such thing as absolute security. If iinet chose to store passwords as
MD5 hashes, then, given some spare time, you could eventually find a string
which generates the same hash as your password, and, guess what? you're
account is no longer safe.

That's the basis for password crackers, and they work quite well, withing
their limitations.


The Hooker




More information about the plug mailing list