lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Mar 2013 11:27:41 -0700
From: ravin wind <ravinwinddce@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Password Hashing done wrong on CISCO IOS

On 03/21/2013 10:15 AM, Marsh Ray wrote:
> 	"In future, Cisco plans to deprecate Type 4 passwords and deprecation warnings
> 	for Type 5 will be removed. The company then plans on having another go at
> 	implementing the 1000 iteration SHA-256 with 80-bit salt algorithm it had
> 	planned for Type 4; it has yet to select a type designation for this new algorithm."
>
> They can't just patch the "Type 4 " algorithm at this point because that will break stuff. 

Type-4 passwords are already "broken" and should not be used. But will
that happen? Cisco expects its users to manually fix this. Users
generally have a history not fixing this manually *until* it's
non-functional (not just if the security is broken ro recommended). You
mean by "break stuff' as in non-functional. To me Type-4 *is*
non-functional -- as in not working, not validated for the use intended.

> Whatever they do next they're obviously going to be extra careful.

Really? Like they did with the UPnP on by default (never fixed) or the
centralized admin interface that had to be rolled back (after massive
protest from users)? From their history, it is *not* at all obvious that
they were, or are, going to be extra careful. What they are doing is
simply putting the same 80 bit salt and 1000 PBKDF2 that they claimed to
have in the first place, but certainly never tested. Wait, it will
happen again. Will they test this time? Not obviously. It *is* obvious
that they were not extra careful.

>  Most companies don't like to talk publicly about their development plans until they're very solid.
Especially when they mess-up badly like this.

Powered by blists - more mailing lists