|
|
|
|
|
|
by niemand
5054 days ago
|
|
|
Shouldn't everyone know by now that this plain text concatenation scheme is insecure? By using this scheme, you're trusting $domainName to securely scramble the password. Once a single password is known in plain, an attacker has a nice password template that he can try on any site. The last few bits of security would be your user name (which is often similar to the one you use elsewhere) or nothing at all if you can log in by email address (which is usually possible these days; and that email address is often among the leaked information as well). Instant login anywhere! At least hash that '$domain+$masterpass' string... ----- More problems: I heard some people still truncate passwords down to unreasonable lengths on the server side, which might make hash compression (e.g. base 16 -> base 64) necessary and which will totally break the simple concatenation scheme, leaving a prefix of $domainName as the actual password. Ouch. |
|
|