lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <17807.1191594936@turing-police.cc.vt.edu>
Date: Fri, 05 Oct 2007 10:35:36 -0400
From: Valdis.Kletnieks@...edu
To: Brian Toovey <admin@...ntrac.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: password hash

On Thu, 04 Oct 2007 22:22:14 EDT, Brian Toovey said:
> Does anyone know what kind of password hash this is?
> 'password1' =
> &c6;Ub&c3;&ab;&19;a&cf;&86;

Hex format would be less likely to be mis-parsed.  I'm *guessing* you
mean the hash is x'c65562c3 ab1961cf 86' - which is slightly odd, being
72 bits long.  A salted 64-bit hash, perhaps?  Or it might be some home-grown
hash that somebody invented.

If you know what 'password1' hashes to, it's time to do some differential
cryptography and try hashing 'password2', 'password11', 'passwor111', and so
on, to determine how many input characters the hash considers.  The next thing
to try is hashing 'qassword1' (which has one bit different from 'password1')
and seeing how many of the output bits change, which will tell you the relative
strength of the hash.  A good hash will have about half the bits change on a
one-bit difference (and continuing through q, r, s, t and so on won't reveal
any pattern of *which* bits change), while a bad hash will fail to cause a bit
cascade and only a few bits will be different in the output.


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ