Bugtraq mailing list archives
Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable
From: James Mancini <jmancini () NETREO NET>
Date: Mon, 25 Sep 2000 13:29:30 -0700
If you couple the cookie vulnerability (and trivial obfuscation of Username/password combinations) with the fact that E-Trade doesn't permit strong passwords[1], it becomes clear that they don't have a real security focus. When I pointed out the weak passwords to them, their response was "no one else complained." --- [1] since E-Trade only recognizes letters, numbers, "$", "_", and space in passwords, and has a maximum password length of 6 characters, a brute-force attack on the password (assuming a rate of 100,000 attempts/sec) it would take a maximum of 8 days 17 hours 29 mins 49 secs to brute-force the password. This attack is impractical simply because the cookie vulnerability already discussed allows for real-time access without all the tedium of brute-force attacking. ____________________________________________________ James Mancini, CCIE #2006 Netreo Chief Strategy Officer V: 714.560.8935 <jmancini () netreo net> F: 714.560.8937 ____________________________________________________ Rock-Solid Foundations for Internet Business http://www.Netreo.net ____________________________________________________
Attachment:
smime.p7s
Description:
Current thread:
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable James Mancini (Sep 25)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- Advisory: E*TRADE security problems in full Jeffrey W. Baker (Sep 25)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: Advisory: E*TRADE security problems in full Gunther Birznieks (Sep 27)
- Re: Advisory: E*TRADE security problems in full reb (Sep 27)
- Re: Advisory: E*TRADE security problems in full Signal 11 (Sep 28)
- Re: Advisory: E*TRADE security problems in full Ben Galehouse (Sep 26)
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Marc Slemko (Sep 25)
- <Possible follow-ups>
- Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable Bridgette Julie Landers (Sep 26)