Difference between revisions of "DBSA:2018-092201"
(Created page with "{{DBSAHEAD | TITLE=RCN Stores Passwords Plaintext | KEYWORDS=plaintext password, disclosure }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' RCN Stores Passwords Plaintext '...") |
|||
(5 intermediate revisions by the same user not shown) | |||
Line 33: | Line 33: | ||
RCN is an Internet Services Provider (ISP) in the United States. | RCN is an Internet Services Provider (ISP) in the United States. | ||
− | RCN has been identified to store passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse. | + | RCN has been identified to store customer account passwords (for my.rcn.com/login and related systems) plaintext, without hashing in violation of security standards. Anyone with read access to the RCN customer login database may login to any RCN customer's account, including any attackers who breach their login database or disgruntled employees recording customer passwords. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse. |
===Further explanation=== | ===Further explanation=== | ||
− | + | The industry standard method of storing passwords is through running any provided password through a mathematical computation similar to encryption (but irreversible) called "hashing". When a user goes to login, the login password is also hashed and compared to the stored hashed password. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails. If a user forgets a password, it is lost and must be changed. | |
− | + | This ensures that even if an attacker gets the password list, it doesn't automatically empower the attacker to login to any user account as they don't have the original passwords. This is a well researched and established method for password storage. | |
==Mitigation/Solution== | ==Mitigation/Solution== |
Latest revision as of 22:35, 22 September 2018
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - RCN Stores Passwords Plaintext
Keywords: plaintext password, disclosure
DBSA ID: 2018-092201
Regarding: RCN Stores Passwords Plaintext
Writeup: Kradorex Xeron (talk) 22:13, 22 September 2018 (EDT)
Date: 2018 09 22
Last Modified: 20180922223547 by Kradorex Xeron
Who should take note: RCN Customers
Classification
Priority: HIGH
Rationale: RCN Customers should maintain continuous monitoring of the situation.
Severity: HIGH
Rationale: Plaintext password storage is a violation of fundamental security standards and plaintext password storage is treated with the same regard as password compromise.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: All RCN Customers are subject.
Description
RCN is an Internet Services Provider (ISP) in the United States.
RCN has been identified to store customer account passwords (for my.rcn.com/login and related systems) plaintext, without hashing in violation of security standards. Anyone with read access to the RCN customer login database may login to any RCN customer's account, including any attackers who breach their login database or disgruntled employees recording customer passwords. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.
Further explanation
The industry standard method of storing passwords is through running any provided password through a mathematical computation similar to encryption (but irreversible) called "hashing". When a user goes to login, the login password is also hashed and compared to the stored hashed password. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails. If a user forgets a password, it is lost and must be changed.
This ensures that even if an attacker gets the password list, it doesn't automatically empower the attacker to login to any user account as they don't have the original passwords. This is a well researched and established method for password storage.
Mitigation/Solution
RCN customers are advised that they should treat the passwords supplied to the company as compromised at this time. Further, RCN customers may wish to contact the company and insist the company transition to a one-way "hashing" password storage system.