Russ (avantman42) wrote in opensourceforum,
Russ
avantman42
opensourceforum

Confused.com (in)security

People in the UK have probably seen Confused.com's TV advert, telling us how wonderful and easy to use the new site is. I signed up for an account recently, but when I entered a password, a message popped up to say:
"Password must be 6 to 8 characters, with no spaces, commas, hyphens or numbers"
Although they don't specifically say so, I discovered that underscores aren't allowed either.

Further experimentation revealed that the password isn't case-sensitive, so it's obviously not stored as a hash. The password I entered when I signed up had both upper and lower case characters, but I've been able to log in using the same combination, with all lower-case, all upper-case, and with the cases swapped.

I did a bit more poking around, and wrote a simple script to try 100 wrong passwords, then the correct one. I ran it from a server with a fast internet connection, and it took about 5 seconds to run, getting a successful login on the 101st try. It would appear, therefore, that they have no defence against brute-force attacks.

Luckily, their security page explains that I have nothing to worry about, because they use 128-bit encryption and:
"As a further commitment to security, our site was submitted for approval by Thawte, the acknowledged experts in web security. Thawte authenticated Confused.com as being secure and awarded us a universally recognised digital ID certificate."
As far as I can tell, all that really means is that they bought an SSL certificate from Thawte.
  • Post a new comment

    Error

    default userpic
  • 0 comments