Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 5 Jul 2005 05:33:24 +0400
From: Solar Designer <solar@...nwall.com>
To: john-users@...ts.openwall.com
Subject: Re: understanding the encryption method

On Mon, Jul 04, 2005 at 02:22:16AM -0700, Lyn Scott wrote:
> --- Solar Designer <solar@...nwall.com> wrote:
> 
> > The traditional DES-based crypt(3) hashes discard
> > characters past 8.
[...]

> Now i am a little confused... that means if i try to
> login using "user_1" as user and "my_passw" instead of
> "my_passwd"...it should work? That also means that i
> can use "my_passwx" or "my_pass12345" for the password
> and it should work too?

Correct.

> I try to login with
> "my_passw" and "my_passwx" but... it doesn't work.
> It only works with "my_passwd"!!

Now this is interesting.  If this user's password hash is expressed with
a 13-character string that John cracked as "my_passw", yet logins with
"alternate forms" of this password fail as you say, this leaves us the
only guess that your system stores the "real" password hashes elsewhere.
(Of course, it is also possible that you've made a mistake in your testing.)

I've never used OpenUnix 8 myself, so the above is just a guess.  I'd
try looking under /etc/security for possible alternate password files.

Of course, even if better hashes are being used, it would be possible to
crack first 8 characters of any password separately and then use that
knowledge to crack the remaining characters quickly.  So this compatibility
feature, if that's what it is, comes at a security cost.

Please let the list know of your findings.

Thanks,

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ