Programmatically Producing Poor Passwords
This is an old version of ProCheckUp’s blog. Please go to http://www.procheckup.com/blog to read the latest version.
Tuesday, 10 June 2008
Previous Posts
- Of PCI DSS and product certification inconsistencies
- Capturing admin passwords of embedded devices via ...
- A good year of vulnerability research for ProCheckUp
- BEA Plumtree Portal usernames disclosure and other...
- eBay Insecurities
- Default to No
- Fun at Defcon 15
- Cookie of death?
- Windows Vista User Account Control (UAC)
- The day of ASP. NET vulnerabilities
1 Comments:
so we're saying that all the attacker needs to do is: 1. enter the victim's username in the password reset page, 2. bruteforce a list of 5568 possible passwords on the login page.
such bruteforce attack would only take a few mins. needless to say when the correct password is found, the victim's account would be compromised.
this is a very good example of how NOT to implement a password reset feature! thanks for sharing Jan!
Post a Comment
<< Home