Monday, September 26, 2011

Dice.com user data insecure

I've just signed up (again) to Dice.com, and noticed that Dice only checks the first 8 password characters.

There is no description of a Dice password on the site, I believe.

However, a good feature is that Dice passwords can contain:
* Special characters like ! $ % & (etc., except backticks `)
* Bracket characters like ? [ ] { } ( ) < > (etc.)
* Underline and minus: _ -

in addition to the (more) usual digits and to distinguishing upper- and lower-case letters.

Using these, (Keepass informs me) Dice attains '53 bits of [password] quality,' which is not very much, in addition to a certain cleartext sniffing problem (see below).

But who cares?

EDIT: Dice confirmed they only use the first 8 characters of the password. They also pointed out (correctly) that their login form has an action which is https, so it normally uses SSL encryption.

However, some people say that corporate or other sniffers can see, block, rewrite (using Perl or something) and resend to a Dice user the packets in their login page as Dice sends it out unsecured, making its form action contain (sometimes) another address, other than the https address their software intends!

When the form is submitted (to the wrong address) they can see the Dice username or email, and the password. Then they can log into Dice using these credentials, and see whose resume it really is. If they want to.

They say some banks even have this problem!

References:

http://ask.metafilter.com/48531/are-http-forms-posted-thru-https-secure?
http://www.perlmonks.org/?node_id=542038?

Copyright (c) 2011 Mark D. Blackwell.

No comments:

Post a Comment

Thanks for commenting on my post!