|
|
|
|
|
|
by pwg
5257 days ago
|
|
|
In order to send a user a plain text password that has been stored encrypted (as this company apparently claims) they must also have the key to the encryption stored somewhere as well. Which means that an attacker must: 1) obtain the encrypted PW from their database and 2) obtain the key to the encryption from their database. But if the attacker obtains their database, it is likely that he/she obtains both the encrypted passwords and the key (or keys) to the encryption. A real world analogy would be locking a document into a lockbox, then storing both the lockbox and the key to the lock on the lockbox, together in the same safe. If someone cracks the safe, they have both the lockbox and the key, so the lockbox becomes ineffective. |
|
|