lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGKxTURTNJ8AheP-sFqQsCH1o3mPTEET7Noms8_Zay_3HqOy+g@mail.gmail.com> Date: Sun, 13 Sep 2015 15:16:34 +1000 From: Christian Heinrich <christian.heinrich@...h.id.au> To: discussions@...sword-hashing.net Subject: Re: [PHC] CynoPrime finds AM src.code flaws, AND YOU KNOW WHAT HAPPENS NEXT Per, On Fri, Sep 11, 2015 at 7:20 PM, Per Thorsheim <per@...rsheim.net> wrote: > Well, my post still holds, on the fact that having an account with AM > doesn't prove anything "illegal" by itself. Unless of course having an > unverififed account with a dating service by itself is morally wrong. > Legally its not afaik. > > The amount of passwords cracked by @CynoPrime however, and their current > estimates says they will crack 90-95% of all the passwords - for all > accounts, I have no doubt AM have completely FUBAR their password > storage implementation. To clarify, if the unverified account had authenticated once bcrypt was available they would have transitioned from MD5AM and MD5AM2? Also bcrypt wasn't available in PHP until v5.5 according to http://php.net/manual/en/function.password-hash.php and if correlating their repository logs to PHP release timelines proves that they didn't "reinvent the wheel" then an apology should be made on Graham's blog don't you think Per? :) -- Regards, Christian Heinrich http://cmlh.id.au/contact
Powered by blists - more mailing lists