lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Mar 2013 01:52:44 +0000
From: Peter Gutmann <>
To: "" <>
Subject: Re: [PHC] Password Hashing done wrong on CISCO IOS

Marsh Ray <> writes:

>The challenge with subtle password hash bugs is that QA can do a thorough job
>of black-box testing and still not catch 1 round instead of 1000. Customers in
>the field are even unlikely to notice or complain about it.

Firefox (meaning probably NSS, so potentially lots of other products as well)
did this for quite some time, possibly years.  It was only corrected when I
noticed it with dumpasn1 and filed a bug.  Even then it took them over a year,
and repeated nags by me, to get it fixed, and I don't think they changed the
code to fix up existing stored data.  There's probably still who knows how
many private keys floating around out there with effectively no protection on
them because of this.  So it's not just Cisco, it affects other widely-deployed
implementations as well.


Powered by blists - more mailing lists