Date: Mon, 15 Sep 2014 12:49:09 -0400
From: Bill Cox <waywardgeek@...hershed.org>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] PolyPassHash is broken

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/14/2014 06:05 PM, Justin Cappos wrote:
> Will any hashing scheme protect an admin account that chooses
> 'password' or 'abc123' as their password?  (At least PPH protects
> thresholdless accounts even with these horrid passwords.)

Actually, I logged into a system a couple of weeks ago as root, using
"password" as the password, which I guessed out of desperation because
I needed access and the guy who set it up was not available.  There is
simply no defense against such admins :-)

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUFxiCAAoJEAcQZQdOpZUZoDwP/RljhFFwJ+Z9W0CfXDGbWneZ
wXSDcM9SRhqmipyvC8CkzWGpPChnvg8eNe4xsGbbADaaA4nbOgcsNDPcZqMcFErl
xtofsIu0Vsvwj0rUKavueqvSUOF8nZEaKQH8xuvitSpj5hD8K1dBO1TY/pQ3CFvM
TPu1LFonaP2J7YUNUggr7fg04J7zO5ykw0Mj4574ycLLLKcSJ8O44+rbh2H5VCl3
UhfufUaTBBNdTX8JF2ubOYD2mYx4GdQpVfQhH1z6OS/HW3n5tVOCnpvA+H+BFIRT
PU/DbjKMD1iRUAa4jbN4FNefLfcuJYQ4PptSyXZAV9xkVTSjeepuqCvGLGrQfsoK
A2B9z9lt4urumIsMPZBqDS+JrLQqlw3UXJ5QqameOeLfDHlEejpcUey+LsH4KkMW
4JXPvdX7dlw5W1vPNXfdG4Wp55Hd3Z0tJSGVMJGvTqlfP4JMnvZUpDyCu4ui33F8
EtSiefw0Kn2pzMMyfT+MJAA//oaYY6xgPST3FuESUauq4NrXUCXxSdVgwJ1H2Col
IJK70cuussInYTqboNjRVsH/aqiZQNTRvYQYhcLXxpiLBZAfAE0M6P0MV1IINc/I
D28DMgK3Ibg1f0whWMCa3wo7YJnv4lLd43geNYxIdeEIkhp1aDKfJEUor6FcnsRh
xDA635BjKmuwb5neUCBx
=3ne1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists