| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <45A10CE7.3060108@gmail.com>
Date: Sun, 07 Jan 2007 16:08:23 +0100
From: endrazine <endrazine@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Flog 1.1.2 Remote Admin Password Disclosure
Hi dear list,
wac a écrit :
>
>
> On 1/5/07, *Valdis.Kletnieks@...edu <mailto:Valdis.Kletnieks@...edu>*
> <Valdis.Kletnieks@...edu <mailto:Valdis.Kletnieks@...edu> > wrote:
>
> On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> > This isn't a password disclosure, it's a leak of password
> information.
> >
> > It's a password hash, you super hacker.
>
>
> yes that's correct but don't forget that hashes can collide
>
> it could be the case that:
>
can ? could ? might ? Do you have any mathematical prouve or are you
just guessing ?
> xhash("$Up3$tr0n9 # P@...oRD!!") == xhash("1234") and you don't even
> need the original strong one ;)
>
what hashing algorithm is being use ? Is a collision realistic ? How
much time would it take to actually break a given hash ?
> so strong password is not a countermesure to that
>
> I beleive that is a BIG security hole
>
At least, the hash was probably not meant to be leaked ;)
Now, if you don't answer the above questions by "can", "weak", "very",
"< 1 day or so", hence, the word "BIG" is a bit exagereted imho...
Regards,
endrazine-
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists