Re: another extortion email check

Mon, 04 May 2020 13:52:55 -0700 

On Mon, 4 May 2020, Grant Taylor wrote:


On 5/4/20 10:09 AM, Jeff Mincy wrote:


If you are no longer using the exposed password then disclosing the
previously used password further is not going to make any
difference.


I disagree.

Storing any plain text passwords is a bad practice and should be avoided.
*if* they are being actively used for authentication, either by the security system (which is a glaring flaw in the design of the security system) or as a reference for accessing the secured resource (e.g. a plaintext passwords file on your desktop, which is user error).
I would also suggest it's a bad idea if the user generates passwords using a pattern. A compromised password that is no longer in use anywhere could still potentially expose the pattern used to generate passwords that *are* currently in use. 


As such, storing plain text passwords /does/ make a difference.


But, if you are really worried about it, don't write a spamassassin
rule looking for your exposed passwords in the subject.
Which is why I have not. It's also why I asked if there was a way to compare hashed text. To quote: 

"Is there any way to compare hashed strings of text?"
I'll note that my question hasn't been answered. Instead, people have focused on something not germane to my question. 

...thus, the answer to your question is "no, there is not".


You could potentially obfuscate the RE by doing something like:

  header   LEAKED_PASSWORD  Subject ~= /\x50\x40\x73\x73\x77\x30\x72\x7c\x29/
...which would at least not have the password trivially visible in plain text for anyone who can read the config file. (You'd of course, not use a rule name that indicated it was about a password.) 


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Where We Want You To Go Today 07/05/2007: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
 4 days until the 75th anniversary of VE day

Reply via email to