[WEB SECURITY] username & pw in clear-text through SSL considered safe?

Mike Fratto mfratto at gmail.com
Mon Jun 16 11:26:06 EDT 2008

>> Would this also show that the passwords are being stored in clear-text and
>> not encrypted with a salt value in the db?
> No.  It could be the site stores the passwords using some hash function, and
> upon attempting to log in, the system hashes the submitted password and
> compares that to the stored hash.

You would be surprised to find that many banks don't hash the password.

Here is how to check this. Call your bank, tell them you can't log-in
to your account. If they ask for your password, tell them you can't
remember and you can't remember your secret question either. It was so
long ago... Ask them if they can tell you the first letter of your
password. If they tell you, then you will know the bank stores your
password in the clear.

A few years ago, I lost my paper with all my account information on it
and I had to go through this process to recover my password. 75% of
the financial institutions could read my password. I am not naming
names because I forgot which banks saved passwords in plain text.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list