lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 7 Jan 2007 02:59:26 -0500
From: wac <waldoalvarez00@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Flog 1.1.2 Remote Admin Password Disclosure

On 1/5/07, Valdis.Kletnieks@...edu <Valdis.Kletnieks@...edu> wrote:
>
> On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> > This isn't a password disclosure, it's a leak of password information.
> >
> > It's a password hash, you super hacker.
>
> And given the hash, and knowledge of how the hash is computed, it becomes
> possible to dictionary-attack (and other related techniques), and thus
> get the actual passwords, unless there are other things in place to ensure
> that all users have passwords sufficiently strong to resist those
> techniques.


yes that's correct but don't forget that hashes can collide

it could be the case that:

xhash("$Up3$tr0n9 # P@...oRD!!") == xhash("1234") and you don't even need
the original strong one ;)

so strong password is not a countermesure to that

I beleive that is a BIG security hole

Regards
Waldo

And given that this:
>
> > http://remote_server/data/users.0.dat
>
> works, the probability that the hashes represent strong passwords is quite
> close to nil.
>
> In any *practical* sense, the fact that the attacker can get the hash and
> from that extract/compute at least some passwords means that the passwords
> are *effectively* disclosed, even if the actual bitstring originally
> retrieved
> isn't the actual password.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ