Originally Posted by
NameCoin
Sorry to revive a dead post. I forgot about this.
My original comment was actually to point out the fact that on the client side, the FlyerTalk forum does not do anything too sophisticated to login information. Here is an example: I tried to login as user "username" whose password is "thepassword". This is information from a packet I sniffed out:
You can clearly see that I tried to login as "username". Now, instead of seeing the password in the clear, you see its MD5 hash: "3c41ff681c1e3dcb68b4d8573bf1c74c". The problem is that MD5 has been pretty well-studied and is considered to be very weak (e.g. collision attacks, pre-image attacks, etc...). There are also loads of lookup tables. In this example, you can go to
http://www.md5-lookup.com/ and put in the hash mentioned above. It returns "thepassword" as the original string.
---------
I think that my post at the very top was taken in the context of the security of financial information over an open wireless internet connection. While it can be secure, my point was that usage of less sensitive sites (like FlyerTalk) can create a side security issue for people who reuse login information.
That's actually pretty scary.
Fortunately, I almost never need to actually "log in" to FlyerTalk, as I am on FT frequently enough that my login session never times out. (I assume my password isn't being stored in a cookie somewhere and transmitted occasionally but rather some session ID is stored that--while it possibly could be spoofed to gain access to my FT account--won't compromise my actual password.)
IB, what are you going to do about this?