Quote:
Originally Posted by jggimi
You may have heard the news that Adobe disclosed a loss of 3 million encrypted passwords. You may also have heard that they underreported the loss by a factor of 20 -- that the password database that was published online actually lists 150 million userids, Email addresses, password hints and encrypted passwords. You might also have received an Email from Adobe in October about the disclosure, as I did.
|
It's sad that it's Adobe being so incompetent, but of course it's rampant.
I know a place that not only uses 3DES for passwords, but keeps the key in the text of the executable. In case that's not a big enough hole, it provides an API function that will authenticate you if you provide the cipher text of your password (think if passwd had a flag where you could provide the ciphertext in master.passwd and that would be as good as typing your password). When I challenged someone on that I was told it was to avoid having users keep their unencrypted password in a file on their machine's file system for programs that run automated without a chance for a login prompt. Heh. Challenge them a little more and you soon get, "well our systems are only meant for internal networks anyway." So let's be honest about it and not have authentication at all.
I'm not pretending to be any kind of expert, but when even I could break your system, you're pretty pathetic.