lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <94568D36597F074DBAF976CA2C6CCDCA10F902@EDM-GOA-EXCC-1A.goa.ds.gov.ab.ca>
Date: Thu, 21 Apr 2005 15:31:42 -0600
From: "Mark Senior" <Mark.Senior@....ab.ca>
To: "Mike Fratto" <mfratto@....com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords


It also slows down cracking numerous passwords in parallel using a
dictionary/heuristic approach a la john the ripper - without a salt, you
can calculate the hash of each password guess once, and then scan
through an entire shadow file for the hash.  With salts, you have to
hash each guess once per user in the list, or at least per user you're
interested in attacking.

In the case of the postgres passwords, the user name seems to act as a
sort of "public" salt.  Knowing some user IDs, you might precompute a
set of hashes for each targetted user, in anticipation of getting your
hands on the password hashes later.

Mark

> -----Original Message-----
> From: Mike Fratto  

> I am pretty sure the intent the salt is to make 
> pre-computation of a dictionaries infeasable due to storage 
> requirements. It doesn't really add to the keyspace because 
> the salt is known and doesn't have to be guessed.

--- end of sensible content ---

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ