On Tue, 17 Sep 2002 16:51:34 -0400, Jamie McCarthy wrote:
> Obviously, this is not a great thing. A user will be in trouble
> if he or she:
>
> (a) reuses a nickname on other sites,
> (b) reuses passwords on other sites,
> (c) uses a dictionary-attackable password on Slashdot
> (so our MD5 could be reversed),
> (d) bookmarks the "totally insecure" link
> (in which case, again, the user pretty much knew
> what to expect),
> (e) later changes the password, and
> (f) continues to use the bookmark to access Slashdot even
> though it no longer logs in.
>
> What we are seeing in referrer logs are users who fit (d), (e)
> and (f), but we do not know how many also fit conditions (a),
> (b) and (c).

It sounds, however, as if the MD5 hash of a user's password is a
plaintext-equivalent. This eliminates requirement (c). Furthermore, people
will sometimes reveal in conversation who they are on other sites, so (a)
should not be hard to do. Together these make the vulnerability much more
serious, but fortunately neither of my observations applies to the fixed
Slashcode.

-- 
Kyle R. Hofmann <krhlemniscate.net>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]