[Owasp-topten] Insecure Cryptographic Storage

Ray Foo gunblad3 at gmail.com
Fri Apr 3 22:13:59 EDT 2009


For one-way functions, it's not practical/possible to retrieve the original
text given the result, which is good for passwords since we only want to
know whether the user has entered his own password correctly (i.e. the
hashes should be the same) without having to know the actual password
itself.
As implied in the name two-way encryptions, it is possible to get back the
original message given the key, which is an unnecessary risk in terms of
password management given our needs (see above).

Ray.

On Sat, Apr 4, 2009 at 9:44 AM, Zaki Akhmad <zakiakhmad at gmail.com> wrote:

> On Sat, Apr 4, 2009 at 1:03 AM, Anurag Agarwal <anurag.agarwal at yahoo.com>
> wrote:
>
> > To break it down a little bit, if the application is allowing a user to
> > retrieve their old password, that means it is stored either in clear text
> or
> > two way encryption (both of them are bad practice, one worse than the
> > other), if they are making the user select a new password, though they
> may
> > still be storing it in cleartext or two way encryption but the chances
> are
> > it is probably hashed and stored.
>
> I am a little bit confused with "two way encryption" words. Are there
> "one way encryption"? What's the difference between hash function aka
> one way function?
>
> > Web: www.attacklabs.com , www.myappsecurity.com
>
> Both of them inactive?
>
> --
> Zaki Akhmad
> _______________________________________________
> Owasp-topten mailing list
> Owasp-topten at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-topten
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-topten/attachments/20090404/f262d5e8/attachment.html 


More information about the Owasp-topten mailing list