Reports are emerging that Internet registrar Name.com has suffered a data breach and is resetting all user passwords. The breach has been revealed in an e-mail to customers published by TheNextWeb, stating that compromised information could include usernames, e-mail addresses, passwords and credit card information – the last two …
Aah, that explains it!
I tried to log in to my name.com account yesterday and the password didn't work. Went through the password reset procedure, and it wouldn't let me reuse the previous password (which wouldn't work anyway!)
Seemed a bit odd at the time, but obvious now...
That reads like both the passwords and the credit card information were reversibly encrypted.
That's needed for the credit card but should not be done for the passwords - they should be one-way hashed.
You check the input password by hashing it and comparing the hashes, you should never be able to retrieve the original password.
And these days, with so many reported breaches, you should encrypt everything. They already have all the code set up so it would be trivial to encrypt the email addresses as well. I'm not sure about best practice for the user name, I'm not a security expert - but encrypt everything else.
Re: Bad security?
They can't encrypt data the system actively uses in an automated way, such as emails, because then they would need to also keep the private keys in handy for the server to use. If the keys get compromised it's like you never encrypted the data at all. It would render everything pointless
Re: Bad security?
Then how do they get to the credit card information? If they can use that they have a method of getting the keys, so that method could be used for other information.
I'm not a security expert, I don't know how they access the keys safely, but they seem to have some method of doing so. One possible method would be to use a separate machine to decrypt, passing only the cipher text and clear text between the machines.
I heard about it from name.com first, so that's good.
The passwords probably ARE one-way hashed - they should be - but weak passwords are still vulnerable to dictionary cracking. And a LOT of people use weak passwords. (Sheesh, you should see some of the admin pw's I've seen on EMR systems...)
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- FOUR DAYS: That's how long it took to crack Galaxy S5 fingerscanner
- Did a date calculation bug just cost hard-up Co-op Bank £110m?
- Feast your PUNY eyes on highest resolution phone display EVER
- Wall St's DROOLING as Twitter GULPS DOWN analytics firm Gnip