Difference between revisions of "DBSA:2018-092201"

From Digibase Knowledge Base
Jump to: navigation, search
Line 33: Line 33:
 
RCN is an Internet Services Provider (ISP) in the United States.  
 
RCN is an Internet Services Provider (ISP) in the United States.  
  
RCN has been identified to store passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.
+
RCN has been identified to store customer passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.
  
 
===Further explanation===
 
===Further explanation===
  
Under a correctly implemented system at a given company, passwords provided are run through a "hashing" computation where the user's password on their account is run through a mathematical computation similar to encryption. For a basic example the password "Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817" which cannot be reversed easily. For login, the login password is run through the same mathematical computation and compared and at no time is the plaintext password stored. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails.
+
Under a correctly implemented system at a given company, passwords provided are run through a "hashing" mathematical computation similar to encryption but not reversible. For a basic example the password "Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817" which cannot be reversed easily. For login, the login password is run through the same mathematical computation and compared to the account hash and at no time is the plaintext password stored. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails. This is an industry standard password storage method.
  
 
RCN does not have this standard security implementation, meaning those with access to the password database can access any account.
 
RCN does not have this standard security implementation, meaning those with access to the password database can access any account.

Revision as of 21:22, 22 September 2018

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - RCN Stores Passwords Plaintext

Keywords: plaintext password, disclosure

DBSA ID: 2018-092201

Regarding: RCN Stores Passwords Plaintext

Writeup: Kradorex Xeron (talk) 22:13, 22 September 2018 (EDT)

Date: 2018 09 22

Last Modified: 20180922212237 by Kradorex Xeron

Who should take note: RCN Customers

Classification

Priority: HIGH

Rationale: RCN Customers should maintain continuous monitoring of the situation.

Severity: HIGH

Rationale: Plaintext password storage is a violation of fundamental security standards and plaintext password storage is treated with the same regard as password compromise.

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: All RCN Customers are subject.

Description

RCN is an Internet Services Provider (ISP) in the United States.

RCN has been identified to store customer passwords plaintext, without hashing in violation of security standards. The company has gone as far as to say that plaintext password storage is a matter of company policy, making the issue that much worse.

Further explanation

Under a correctly implemented system at a given company, passwords provided are run through a "hashing" mathematical computation similar to encryption but not reversible. For a basic example the password "Fa9034dASc" via the "sha1" computation becomes "fe0b486852959dc2eb3af5c5c04c478d0f018817" which cannot be reversed easily. For login, the login password is run through the same mathematical computation and compared to the account hash and at no time is the plaintext password stored. Attempts to use the hash itself to login is run through the computation again, providing a different result and fails. This is an industry standard password storage method.

RCN does not have this standard security implementation, meaning those with access to the password database can access any account.

Mitigation/Solution

RCN customers are advised that they should treat the passwords supplied to the company as compromised at this time. Further, RCN customers may wish to contact the company and insist the company transition to a one-way "hashing" password storage system.

References