http://kb.digibase.ca/index.php?title=DBSA:2018-092201&feed=atom&action=historyDBSA:2018-092201 - Revision history2024-03-28T10:45:43ZRevision history for this page on the wikiMediaWiki 1.31.1http://kb.digibase.ca/index.php?title=DBSA:2018-092201&diff=1118&oldid=prevKradorex Xeron at 03:35, 23 September 20182018-09-23T03:35:47Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">Revision as of 03:35, 23 September 2018</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l33" >Line 33:</td>
<td colspan="2" class="diff-lineno">Line 33:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN is an Internet Services Provider (ISP) in the United States.  </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN is an Internet Services Provider (ISP) in the United States.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>RCN has been identified to store customer account passwords (for my.rcn.com/login and related systems) plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse<del class="diffchange diffchange-inline">. Anyone with read access to the RCN customer login database may login to any RCN customer's account</del>.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>RCN has been identified to store customer account passwords (for my.rcn.com/login and related systems) plaintext, without hashing in violation of security standards<ins class="diffchange diffchange-inline">. Anyone with read access to the RCN customer login database may login to any RCN customer's account, including any attackers who breach their login database or disgruntled employees recording customer passwords</ins>. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td></tr>
</table>Kradorex Xeronhttp://kb.digibase.ca/index.php?title=DBSA:2018-092201&diff=1117&oldid=prevKradorex Xeron at 03:18, 23 September 20182018-09-23T03:18:28Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">Revision as of 03:18, 23 September 2018</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l33" >Line 33:</td>
<td colspan="2" class="diff-lineno">Line 33:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN is an Internet Services Provider (ISP) in the United States.  </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN is an Internet Services Provider (ISP) in the United States.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>RCN has been identified to store customer passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse. Anyone with read access to the RCN customer login database may login to any RCN customer's account.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>RCN has been identified to store customer <ins class="diffchange diffchange-inline">account </ins>passwords <ins class="diffchange diffchange-inline">(for my.rcn.com/login and related systems) </ins>plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse. Anyone with read access to the RCN customer login database may login to any RCN customer's account.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td></tr>
</table>Kradorex Xeronhttp://kb.digibase.ca/index.php?title=DBSA:2018-092201&diff=1116&oldid=prevKradorex Xeron at 02:52, 23 September 20182018-09-23T02:52:58Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">Revision as of 02:52, 23 September 2018</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l37" >Line 37:</td>
<td colspan="2" class="diff-lineno">Line 37:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The industry standard method of storing passwords is through running any provided password through a mathematical computation similar to encryption (but irreversible) called "hashing". When a user goes to login, the login password is also hashed and compared to the stored password. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails. If a user forgets a password, it is lost and must be changed.  </div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The industry standard method of storing passwords is through running any provided password through a mathematical computation similar to encryption (but irreversible) called "hashing". When a user goes to login, the login password is also hashed and compared to the stored <ins class="diffchange diffchange-inline">hashed </ins>password. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails. If a user forgets a password, it is lost and must be changed.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>This ensures that even if an attacker gets the password list, it doesn't automatically empower the attacker to login to any user account as they don't have the original passwords. This is a well researched and established method for password storage.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>This ensures that even if an attacker gets the password list, it doesn't automatically empower the attacker to login to any user account as they don't have the original passwords. This is a well researched and established method for password storage.</div></td></tr>
</table>Kradorex Xeronhttp://kb.digibase.ca/index.php?title=DBSA:2018-092201&diff=1115&oldid=prevKradorex Xeron at 02:42, 23 September 20182018-09-23T02:42:13Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">Revision as of 02:42, 23 September 2018</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l33" >Line 33:</td>
<td colspan="2" class="diff-lineno">Line 33:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN is an Internet Services Provider (ISP) in the United States.  </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN is an Internet Services Provider (ISP) in the United States.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>RCN has been identified to store customer passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>RCN has been identified to store customer passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse<ins class="diffchange diffchange-inline">. Anyone with read access to the RCN customer login database may login to any RCN customer's account</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">Under a correctly implemented system at a given company, </del>passwords provided <del class="diffchange diffchange-inline">are run </del>through a <del class="diffchange diffchange-inline">"hashing" </del>mathematical computation similar to encryption but <del class="diffchange diffchange-inline">not reversible. For a basic example the password </del>"<del class="diffchange diffchange-inline">Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817</del>" <del class="diffchange diffchange-inline">which cannot be reversed easily</del>. <del class="diffchange diffchange-inline">For </del>login, the login password is <del class="diffchange diffchange-inline">run through the same mathematical computation </del>and compared to the <del class="diffchange diffchange-inline">account hash and at no time is the plaintext </del>password <del class="diffchange diffchange-inline">stored</del>. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails. <del class="diffchange diffchange-inline">This </del>is <del class="diffchange diffchange-inline">an industry standard password storage method</del>.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">The industry standard method of storing </ins>passwords <ins class="diffchange diffchange-inline">is through running any </ins>provided <ins class="diffchange diffchange-inline">password </ins>through a mathematical computation similar to encryption <ins class="diffchange diffchange-inline">(</ins>but <ins class="diffchange diffchange-inline">irreversible) called </ins>"<ins class="diffchange diffchange-inline">hashing</ins>". <ins class="diffchange diffchange-inline">When a user goes to </ins>login, the login password is <ins class="diffchange diffchange-inline">also hashed </ins>and compared to the <ins class="diffchange diffchange-inline">stored </ins>password. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails. <ins class="diffchange diffchange-inline">If a user forgets a password, it </ins>is <ins class="diffchange diffchange-inline">lost and must be changed</ins>.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">RCN does not have this standard security implementation</del>, <del class="diffchange diffchange-inline">meaning those with access </del>to the password <del class="diffchange diffchange-inline">database can access any account</del>.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins class="diffchange diffchange-inline">This ensures that even if an attacker gets the password list</ins>, <ins class="diffchange diffchange-inline">it doesn't automatically empower the attacker to login </ins>to <ins class="diffchange diffchange-inline">any user account as they don't have </ins>the <ins class="diffchange diffchange-inline">original passwords. This is a well researched and established method for </ins>password <ins class="diffchange diffchange-inline">storage</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Mitigation/Solution==</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Mitigation/Solution==</div></td></tr>
</table>Kradorex Xeronhttp://kb.digibase.ca/index.php?title=DBSA:2018-092201&diff=1114&oldid=prevKradorex Xeron at 02:22, 23 September 20182018-09-23T02:22:37Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">Revision as of 02:22, 23 September 2018</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l33" >Line 33:</td>
<td colspan="2" class="diff-lineno">Line 33:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN is an Internet Services Provider (ISP) in the United States.  </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN is an Internet Services Provider (ISP) in the United States.  </div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>RCN has been identified to store passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>RCN has been identified to store <ins class="diffchange diffchange-inline">customer </ins>passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Under a correctly implemented system at a given company, passwords provided are run through a "hashing" <del class="diffchange diffchange-inline">computation where the user's password on their account is run through a </del>mathematical computation similar to encryption. For a basic example the password "Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817" which cannot be reversed easily. For login, the login password is run through the same mathematical computation and compared and at no time is the plaintext password stored. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Under a correctly implemented system at a given company, passwords provided are run through a "hashing" mathematical computation similar to encryption <ins class="diffchange diffchange-inline">but not reversible</ins>. For a basic example the password "Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817" which cannot be reversed easily. For login, the login password is run through the same mathematical computation and compared <ins class="diffchange diffchange-inline">to the account hash </ins>and at no time is the plaintext password stored. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails<ins class="diffchange diffchange-inline">. This is an industry standard password storage method</ins>.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN does not have this standard security implementation, meaning those with access to the password database can access any account.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN does not have this standard security implementation, meaning those with access to the password database can access any account.</div></td></tr>
</table>Kradorex Xeronhttp://kb.digibase.ca/index.php?title=DBSA:2018-092201&diff=1113&oldid=prevKradorex Xeron at 02:19, 23 September 20182018-09-23T02:19:21Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #222; text-align: center;">Revision as of 02:19, 23 September 2018</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l37" >Line 37:</td>
<td colspan="2" class="diff-lineno">Line 37:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Further explanation===</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Under a correctly implemented system at a given company, passwords are run through a "hashing" computation where the user's password on their account is run through a mathematical computation similar to encryption. For a basic example the password "Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817" which cannot be reversed. For login, the login password is run through the same mathematical computation and compared and at no time is the plaintext password stored. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails.</div></td><td class='diff-marker'>+</td><td style="color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Under a correctly implemented system at a given company, passwords <ins class="diffchange diffchange-inline">provided </ins>are run through a "hashing" computation where the user's password on their account is run through a mathematical computation similar to encryption. For a basic example the password "Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817" which cannot be reversed <ins class="diffchange diffchange-inline">easily</ins>. For login, the login password is run through the same mathematical computation and compared and at no time is the plaintext password stored. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN does not have this standard security implementation, meaning those with access to the password database can access any account.</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #222; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>RCN does not have this standard security implementation, meaning those with access to the password database can access any account.</div></td></tr>
</table>Kradorex Xeronhttp://kb.digibase.ca/index.php?title=DBSA:2018-092201&diff=1111&oldid=prevKradorex Xeron: Created page with "{{DBSAHEAD | TITLE=RCN Stores Passwords Plaintext | KEYWORDS=plaintext password, disclosure }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' RCN Stores Passwords Plaintext '..."2018-09-23T02:13:58Z<p>Created page with "{{DBSAHEAD | TITLE=RCN Stores Passwords Plaintext | KEYWORDS=plaintext password, disclosure }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' RCN Stores Passwords Plaintext '..."</p>
<p><b>New page</b></p><div>{{DBSAHEAD<br />
| TITLE=RCN Stores Passwords Plaintext<br />
| KEYWORDS=plaintext password, disclosure<br />
}}<br />
<br />
'''DBSA ID:''' {{PAGENAME}}<br />
<br />
'''Regarding:''' RCN Stores Passwords Plaintext<br />
<br />
'''Writeup:''' [[User:Kradorex Xeron|Kradorex Xeron]] ([[User talk:Kradorex Xeron|talk]]) 22:13, 22 September 2018 (EDT)<br />
<br />
'''Date:''' 2018 09 22<br />
<br />
'''Last Modified:''' {{REVISIONTIMESTAMP}} by {{REVISIONUSER}}<br />
<br />
'''Who should take note:''' RCN Customers<br />
<br />
==Classification==<br />
<br />
'''Priority:''' HIGH<br />
<br />
'''Rationale:''' RCN Customers should maintain continuous monitoring of the situation.<br />
<br />
'''Severity:''' HIGH<br />
<br />
'''Rationale:''' Plaintext password storage is a violation of fundamental security standards and plaintext password storage is treated with the same regard as password compromise.<br />
<br />
'''Spread of Issue:''' SINGLE-PLATFORM HIGH<br />
<br />
'''Rationale:''' All RCN Customers are subject.<br />
<br />
==Description==<br />
RCN is an Internet Services Provider (ISP) in the United States. <br />
<br />
RCN has been identified to store passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.<br />
<br />
===Further explanation===<br />
<br />
Under a correctly implemented system at a given company, passwords are run through a "hashing" computation where the user's password on their account is run through a mathematical computation similar to encryption. For a basic example the password "Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817" which cannot be reversed. For login, the login password is run through the same mathematical computation and compared and at no time is the plaintext password stored. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails.<br />
<br />
RCN does not have this standard security implementation, meaning those with access to the password database can access any account.<br />
<br />
==Mitigation/Solution==<br />
RCN customers are advised that they should treat the passwords supplied to the company as compromised at this time. Further, RCN customers may wish to contact the company and insist the company transition to a one-way "hashing" password storage system.<br />
<br />
==References==<br />
* https://twitter.com/RCNconnects/status/1043616436843945985<br />
* http://archive.is/yES0i<br />
<br />
[[Category:DBSA|2018]]</div>Kradorex Xeron