Russ (avantman42) wrote in opensourceforum,
opensourceforum (in)security

People in the UK have probably seen's TV advert, telling us how wonderful and easy to use the new site is. I signed up for an account recently, but when I entered a password, a message popped up to say:
"Password must be 6 to 8 characters, with no spaces, commas, hyphens or numbers"
Although they don't specifically say so, I discovered that underscores aren't allowed either.

Further experimentation revealed that the password isn't case-sensitive, so it's obviously not stored as a hash. The password I entered when I signed up had both upper and lower case characters, but I've been able to log in using the same combination, with all lower-case, all upper-case, and with the cases swapped.

I did a bit more poking around, and wrote a simple script to try 100 wrong passwords, then the correct one. I ran it from a server with a fast internet connection, and it took about 5 seconds to run, getting a successful login on the 101st try. It would appear, therefore, that they have no defence against brute-force attacks.

Luckily, their security page explains that I have nothing to worry about, because they use 128-bit encryption and:
"As a further commitment to security, our site was submitted for approval by Thawte, the acknowledged experts in web security. Thawte authenticated as being secure and awarded us a universally recognised digital ID certificate."
As far as I can tell, all that really means is that they bought an SSL certificate from Thawte.
  • Post a new comment


    default userpic