Comments on: DMA site is not only broken, but insecure

By: WordPress inadvertent disclosure bug « Something better to do

WordPress inadvertent disclosure bug « Something better to do — Tue, 06 Oct 2009 14:14:04 +0000

[...] was posting a blog entry about some idiots emailing me a Web site username and password, and I cut and pasted their email into my blog posting and then edited it to remove the username [...]

By: More on the DMAchoice.org debacle « Something better to do

More on the DMAchoice.org debacle « Something better to do — Tue, 29 Sep 2009 04:02:29 +0000

[...] blog postings about the DMA (initial and followup) got picked up at The Consumerist and got over 5,200 views, which is a respectable take, but not [...]

By: jik

jik — Thu, 24 Sep 2009 15:20:05 +0000

To be fair, that they emailed you your passwords doesn’t necessarily imply they were stored in plaintext. They could be encrypted using symmetric crypto with a key held by the DMA.

Symmetric encryption of passwords in the database is only barely better than storing them in plain-text If a hacker manages to break into the site and steal the database, they will probably be able to steal the decryption key as well. If not, they can do a brute-force attack on the database offline to find the decryption key, unless the people who wrote the site were smart about using variable encryption keys.

In the past, symmetric encryption with a decryption key barely hidden somewhere may have been good enough, because hackers were amateurish and wouldn’t bother to try to break the encryption — they’d just move on to a different site. Now, however, the hacking is well-organized and well-finances, and the hackers are very professional and very serious about their work. Symmetric encryption just doesn’t cit it anymore.

And all of this is aside from the fact that the threat of an insider stealing the passwords is just as onerous as the threat from hackers, if not more so.

By: Nate

Nate — Thu, 24 Sep 2009 13:03:50 +0000

I’ve had a few places email me my password like that. It always scares the crap out of me. Who knows how many websites out there still store plaintext passwords? Probably a lot. But certainly, you’d think that a place whose sole purpose is to store thousands of peoples’ personal information would at least have some clue about keeping that info safe.

I guess that’s what we get for letting the wolf guard the sheep.

By: Quantum Mechanic

Quantum Mechanic — Thu, 24 Sep 2009 11:46:01 +0000

To be fair, that they emailed you your passwords doesn’t necessarily imply they were stored in plaintext. They could be encrypted using symmetric crypto with a key held by the DMA. I’m not saying this is desirable.

Emailing them is inexcuseable, though. It’s also sad to see how many businesses will (robo-)email you passwords when you go through the “forgot password” process rather than (much better) emailing you a one-time password or reset password URL. (Which is still vulnerable against a network sniffer of course, but at least doesn’t expose a password).

By: jik

jik — Thu, 24 Sep 2009 02:21:18 +0000

It’s not quite that bad. I successfully registered one account at their site and provided them with enough PII in email to prove who I was. They still shouldn’t have emailed the usernames or passwords to me, for the reasons described above, but it was reasonable for them to be confident that they were sending them to the right email account.

By: Andrew G

Andrew G — Thu, 24 Sep 2009 02:11:23 +0000

Wait a minute — are you saying that because you posted a blog article claiming to be Jonathan Kamens and sent them a link, they looked up Jonathan Kamens’s account information and emailed it to you?

And all you’re worried about is that they store the passwords en clair and email them at all?