It's been a busy week on the security front. Of course, that's true of most weeks but here's some interesting stories from the past few days:
- CloudCracker is offering a special this week on their MS-CHAPv2 service. They will break any MS-CHAPv2 password for only $20, a $180 discount. As CloudCracker puts it
This means that any PPTP VPN connection or intercepted MS-CHAPv2 WPA
Enterprise wireless credentials can be cracked and decrypted with a
100% success rate for only $20.
- The IEEE (!) had a “data breach” in which 100k of plaintext passwords were exposed on their FTP site for over a month. I don't know what else can be said about this.
- Hotmail is helpfully (and silently) shortening users' passwords to 16 characters. Honestly, there's really no reason or excuse for this. If they were doing things correctly, they'd be hashing those passwords with bcrypt or something similar so it wouldn't matter how long the password is. What this means, of course, is that they're storing the passwords unhashed.
- W3C has published a draft of its Web Cryptography API. When this is finalized and implemented it could help improve Web security. But it probably won't because the usual people still won't bother doing the right thing.