lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 Oct 2007 15:12:06 -0500
From: phioust <phioust@...il.com>
To: full-disclosure@...ts.grok.org.uk, gautam.bipin@...il.com
Subject: Re: password hash, funny myth in the industry!

On 10/16/07, Bipin Gautam <gautam.bipin@...il.com> wrote:
>
> Consider the fact, many websites/forums don't use password hash+salt,
> just password hash( generally SHA1, MD5) that gets computer client
> side and POSTED to the web-forum for user authentication.


Is "computer" supposed to be "computed" ? Based on your post i think its
supposed to be and if so you are an idiot. The browser does not hash your
password in anyway nor is there directives to tell your browser to do so.
the clear text pass is sent in the post so of course you can sniff but at
this post says 1000s of username/password combos were dropped so who is
going to sniff all those machines?

instead just using the password hash itself
> manipulating the POST request.


The hash is not sent in the request - the clear text is and the server side
code (php,asp,whatever) hashes it before checking it against the databse.
you suck at life.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ