Re: User Alert: E*TRADE Usernames and Passwords Remotely Recoverable

[James Mancini <jmancini () NETREO NET>]

If you couple the cookie vulnerability (and trivial obfuscation of
Username/password combinations) with the fact that E-Trade doesn't permit
strong passwords[1], it becomes clear that they don't have a real security
focus. When I pointed out the weak passwords to them, their response was
"no one else complained."


---
[1] since E-Trade only recognizes letters, numbers, "$", "_", and space in
passwords, and has a maximum password length of 6 characters, a
brute-force attack on the password (assuming a rate of 100,000
attempts/sec) it would take a maximum of 8 days 17 hours 29 mins 49 secs
to brute-force the password. This attack is impractical simply because the
cookie vulnerability already discussed allows for real-time access without
all the tedium of brute-force attacking.

____________________________________________________
James Mancini, CCIE #2006                     Netreo
Chief Strategy Officer               V: 714.560.8935
<jmancini () netreo net>                F: 714.560.8937
____________________________________________________
    Rock-Solid Foundations for Internet Business
                http://www.Netreo.net
____________________________________________________

Attachment: smime.p7s
Description: