lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200701052112.l05LCfuG015995@turing-police.cc.vt.edu>
Date: Fri, 05 Jan 2007 16:12:41 -0500
From: Valdis.Kletnieks@...edu
To: T Biehn <tbiehn@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, milw0rm <submit@...w0rm.com>
Subject: Re: Flog 1.1.2 Remote Admin Password Disclosure

On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> This isn't a password disclosure, it's a leak of password information.
> 
> It's a password hash, you super hacker.

And given the hash, and knowledge of how the hash is computed, it becomes
possible to dictionary-attack (and other related techniques), and thus
get the actual passwords, unless there are other things in place to ensure
that all users have passwords sufficiently strong to resist those techniques.

And given that this:

> http://remote_server/data/users.0.dat

works, the probability that the hashes represent strong passwords is quite
close to nil.

In any *practical* sense, the fact that the attacker can get the hash and
from that extract/compute at least some passwords means that the passwords
are *effectively* disclosed, even if the actual bitstring originally retrieved
isn't the actual password.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ