[Owasp-topten] Insecure Cryptographic Storage

Anurag Agarwal anurag.agarwal at yahoo.com
Fri Apr 3 14:03:49 EDT 2009


To break it down a little bit, if the application is allowing a user to retrieve their old password, that means it is stored either in clear text or two way encryption (both of them are bad practice, one worse than the other), if they are making the user select a new password, though they may still be storing it in cleartext or two way encryption but the chances are it is probably hashed and stored.

 
Cheers,
 
Anurag Agarwal
 
Web: www.attacklabs.com , www.myappsecurity.com
Email : anurag.agarwal at yahoo.com
Blog : http://myappsecurity.blogspot.com
 




________________________________
From: Dave Wichers <dave.wichers at aspectsecurity.com>
To: Zaki Akhmad <zakiakhmad at gmail.com>; owasp-topten at lists.owasp.org
Sent: Friday, April 3, 2009 8:46:34 AM
Subject: Re: [Owasp-topten] Insecure Cryptographic Storage

In general. Yes.

-----Original Message-----
From: owasp-topten-bounces at lists.owasp.org
[mailto:owasp-topten-bounces at lists.owasp.org] On Behalf Of Zaki Akhmad
Sent: Friday, April 03, 2009 11:40 AM
To: owasp-topten at lists.owasp.org
Subject: [Owasp-topten] Insecure Cryptographic Storage

Hello,

I'm back to ask again :-)

Is it true that end user will never know that his/her password is
stored whether in plain text or cipher text? Unless he/she knows how
the program store the password and to get know it, the user should get
access to the source code.

CMIIW
-- 
Zaki Akhmad
_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-topten
_______________________________________________
Owasp-topten mailing list
Owasp-topten at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-topten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090403/a5b40a51/attachment.html 


More information about the Owasp-topten mailing list