| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mike at ampeisch.com (mike@...eisch.com) Subject: Google Desktop Search Not necessarily -- that's what "salt" characters are for in crypto. Check out "Applied Cryptography". The added value is that if you have the plain text password, you have the password, if you have the hash, you still have to crack it, or BF it. MD5sum is one of the methods that Unix/Linux use for OS password storage. What Yahoo is doing isn't perfect, but it's a damn site better than pointless. M. > What is the added benefit of sending MD5 hashes instead of plain-text > passwords? I mean, the MD5 hash will be the same for the same password, > isn't it? > > I hope that Yahoo has implemented something more complicated that that, > otherwise it is plain pointless. > > -- rem. > > mike@...eisch.com wrote: >> Read the javascript in the headers of Yahoo's login page: >> >> <-- Begin javascript comments from Yahoo --> >> /* >> * A JavaScript implementation of the RSA Data Security, Inc. MD5 >> Message >> * Digest Algorithm, as defined in RFC 1321. >> * Copyright (C) Paul Johnston 1999 - 2000. >> * Updated by Greg Holt 2000 - 2001. >> * See http://pajhome.org.uk/site/legal.html for details. >> */ >> >> <-- End Javascript comments from Yahoo --> >> >> THEY don't even cache, or pass, your password. Like all secure programs, >> they store, and transmit, an MD5 Sum. > >
Powered by blists - more mailing lists