Re: UserNameToken with SendNone on Password
From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 02/15/05
- Next message: William Stacey [MVP]: "Re: UserNameToken with SendNone on Password"
- Previous message: William Stacey [MVP]: "Re: UserNameToken with SendNone on Password"
- In reply to: SA: "Re: UserNameToken with SendNone on Password"
- Next in thread: James Han***: "Re: UserNameToken with SendNone on Password"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 15 Feb 2005 13:01:46 -0500
> Just exaggerating. But the main point still is that using usernames and
> passwords is increasingly risky because of several reasons, some of which
> are outlined in Keith's article at [2].
> http://office.microsoft.com/en-us/officeupdate/CD010798711033.aspx
>
http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnwse/html/securusernametoken.asp
I had also blogged on the weakness of UsernameTokens with supporting code
example at:
"Crack your WSE SendHashed Passwords."
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!178.entry
This could work with SendNone or SendHashed. Naturally SendPlain is a joke
unless the plain text is actually encrypted first with a prior shared secret
or PKI. It is much easier to crack ~standard passwords, but given some
time, you could crack most passwords. Even passwords people "think" are
strong, like "Letmein;12" can be cracked pretty fast.
-- William Stacey, MVP http://mvp.support.microsoft.com
- Next message: William Stacey [MVP]: "Re: UserNameToken with SendNone on Password"
- Previous message: William Stacey [MVP]: "Re: UserNameToken with SendNone on Password"
- In reply to: SA: "Re: UserNameToken with SendNone on Password"
- Next in thread: James Han***: "Re: UserNameToken with SendNone on Password"
- Messages sorted by: [ date ] [ thread ]
