Passwords, Entropy And MegaCracker

Kim Dotcom’s successor to MegaUpload.com – Mega – is already proving extremely popular with netizens, realising over a million users in just a few days.

But the service is not without problems. I mentioned earlier today how the site has attracted the attention of at least one anti-piracy group. But it seems there may be some security issues too.

Kim-Dotcom

Soon after the initial excitement of the site’s launch there was a new type of discussion doing the rounds as the press began to pick up on Mega’s security practices. The main talking points appear to centre around passwords and entropy as covered by Ars Technica.

In reply to Ars Terchnica saying that, “Without adding entropy, the “random” primes generated by math.random for use as RSA keys are really only pseudo-random and can be guessed.”, Dotcom made the following reply:

This is correct – and quite a strange statement to make after conceding that mouse and keyboard entropy are indeed used to enhance Math.random(). We will, however, add a feature that allows the user to add as much entropy manually as he sees fit before proceeding to the key generation.

Where passwords are concerned Ars Technica wrote that there doesn’t seem to be any kind of password recovery system and so, if the user forgets their password, they could be left high and dry and completely unable to access their account again at any time in the future.

A password reset mechanism will allow you to log back into your account, with all files being unreadable. Now, if you have any pre-exported file keys, you can import them to regain access to those files. On top of that, you could ask your share peers to send you the share-specific keys, but that’s it – the remainder of your data appears as binary garbage until you remember your password.
Kim Dotcom’s reply on the Mega blog

Today, though, there is more possible bad news on the password front as cryptography expert Steve Thomas works on a tool called MegaCracker –

– which could crack hashes embedded into the confirmation emails sent to newly registered users – read more on that at SC Magazine.

photo: Abode of Chaos

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind

*