Comments on: Insecure Cryptographic Storage http://misc-security.com/2009/09/16/insecure-cryptographic-storage/ Wed, 03 Feb 2010 20:34:51 +0000 http://wordpress.org/?v=abc hourly 1 By: Aaron Grattafiori http://misc-security.com/2009/09/16/insecure-cryptographic-storage/comment-page-1/#comment-41 Aaron Grattafiori Wed, 30 Sep 2009 04:09:05 +0000 http://misc-security.com/?p=250#comment-41 Also.. People that store hashes of CC #s without properly salting them can be asking for trouble, the "keyspace" for of CC numbers isn't very big. Also.. People that store hashes of CC #s without properly salting them can be asking for trouble, the “keyspace” for of CC numbers isn’t very big.

]]> By: Aaron Grattafiori http://misc-security.com/2009/09/16/insecure-cryptographic-storage/comment-page-1/#comment-40 Aaron Grattafiori Wed, 30 Sep 2009 04:05:36 +0000 http://misc-security.com/?p=250#comment-40 Bruce Schneier in one of his books wrote something along the lines of: "The person that invents their own crypto algorithm (I think he said primitive) is either a genius, or a fool. Looking at the typical ratio, the odds aren't good.". I thought that was a clever way to do it and honestly quite truthful. Bruce Schneier in one of his books wrote something along the lines of: “The person that invents their own crypto algorithm (I think he said primitive) is either a genius, or a fool. Looking at the typical ratio, the odds aren’t good.”. I thought that was a clever way to do it and honestly quite truthful.

]]> By: BrettH http://misc-security.com/2009/09/16/insecure-cryptographic-storage/comment-page-1/#comment-35 BrettH Mon, 21 Sep 2009 17:08:50 +0000 http://misc-security.com/?p=250#comment-35 I hope that the team lead and the project manager realized this was a bad idea and changed the way that passwords are being encrypted. These are the types of security problems that should have maximum visibility to the whole business unit. I hope that the team lead and the project manager realized this was a bad idea and changed the way that passwords are being encrypted.

These are the types of security problems that should have maximum visibility to the whole business unit.

]]> By: Nitin Reddy Katkam http://misc-security.com/2009/09/16/insecure-cryptographic-storage/comment-page-1/#comment-34 Nitin Reddy Katkam Mon, 21 Sep 2009 16:42:22 +0000 http://misc-security.com/?p=250#comment-34 I recently hear a conversation in which the project manager asked a lead developer, "How are we encrypting passwords while storing them in the database?" The response was, "I don't know. We downloaded a Microsoft Enterprise Library block from the Internet and are using it through the membership provider in ASP.NET." Even if we are using a very weak algorithm with a private key copy-pasted directly off a web page on the Internet, the response by the team lead created a pretty good sense of security for the project manager. :-D I recently hear a conversation in which the project manager asked a lead developer, “How are we encrypting passwords while storing them in the database?” The response was, “I don’t know. We downloaded a Microsoft Enterprise Library block from the Internet and are using it through the membership provider in ASP.NET.”

Even if we are using a very weak algorithm with a private key copy-pasted directly off a web page on the Internet, the response by the team lead created a pretty good sense of security for the project manager. :-D

]]>