lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <45A28242.8060400@gmail.com>
Date: Mon, 08 Jan 2007 18:41:22 +0100
From: endrazine <endrazine@...il.com>
To: Valdis.Kletnieks@...edu,  full-disclosure@...ts.grok.org.uk
Subject: Re: Flog 1.1.2 Remote Admin Password Disclosure

Hi Vladis, Hi dear list,

Valdis.Kletnieks@...edu a écrit :
>
> It's a pretty easy proof actually.  If your password input routine allows
> more different passwords than there are possible hashes, you *will* have
> collisions.  For instance, if you use a 64-bit hash, and reasonable-length
> passwords, you can create more than 2**64 of them, and 2 *have* to collide.
>
>   
Agreed,  good sense helps in some cases ;)
>
> If you're using anything resembling a sane hash (such as MD5 or similar),
> what happens is that you basically ignore the hash collisions - because
> rather than "1234", your colliding password/phrase is probably a 32-byte or so
> string, which is likely not even enterable at the keyboard (it ends up being
> A # ctl-b 9 e alt-control-meta-$ etcetc - of the 32, likely only 10 or so
> of the characters are from the 96-char printable ASCII set, and there's a good
> chance that at least several of the bytes are ones you can't enter from the
> keyboard at all....)
>   
Here again, I agree. Now, if one needs to exhaustively try every 
possible 32b hashes with the largest possible charset (or even bigger hashes
with a smaller - like those alphanumerical keys you just mentionned), to 
break a password hash, the it's not a "*BIG*" security issue like 
mentionned earlier imho.

Cheers,

endrazine-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ