Also looks like I'm not the only one having the problem.
http://lastinfirstout.blogspot.com/2008/10/trivial-account-reset-on-american.html
Subscribe to:
Post Comments (Atom)
Powered by Blogger.
Follow cktricky
Blog Archive
-
▼
2008
(169)
-
▼
October
(19)
- Maltego Malware Domain List Transforms
- Thoughts on why we need exploit code and hacker tools
- Multiple Thoughts on Multiple Security Issues
- Malware targeting industrial control software(?)
- ChicagoCon Fall 2008
- From Virus Alert to Pwnage Part 2
- Webapp Asssessments Rule or 'why running as 'dbo' ...
- A Successful Pentest with some Failures.
- For a dose of the obvious...
- From Virus Alert to Pwnage Part 1
- Sex Offender Registry Law = FAIL
- I don't normally say this...
- OWASP APPSEC 2008 Conference Videos Online
- Notes from SANS Penetration Testing with Confidenc...
- Notes from SANS Beyond Front-Line Exploits Webcast
- AMEX = FAIL
- California RFID Law = FAIL
- ToorconX Wrap-Up
- New School Information Gathering ToorconX edition
-
▼
October
(19)
Follow carnal0wnage
Follow Attack Research
9 comments:
Sounds like a good ol mainframe character limit
I ran into this too a few months ago: here.
Once again...this would not be a security issue, until you h@x0rs made a big deal out of it...
We make people super-duper promise not be bad on our site...
What else can we do?
We have something very similar where I work with a time-writing app. It wont let you have a long password, and you have to use alphanumeric only. Great system.
no more than 8 chars and NO SPECIAL chars... that drops the possible keyspace down to about a 10 minute dictionary attack ;) woohoo!
It's pretty crazy how often you run into this. I've even seen it on things like domain registration and control, although I haven't run into it on any sites like this one where it's something like your finances that are at risk.
one of the reasons I no longer have an Amex.
By the way... almost a year later and this still hasn't changed.
Post a Comment