Date: Mon, 21 Apr 2008 13:51:03 +0400 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Subject: [openwall-announce] JtR jumbo patch updates; phpass adoption; pam_passwdqc 1.0.5 Hi, This is to announce several Openwall news items related to our password security tools. 1. Since the last announcement on this mailing list, there have been major additions to the jumbo patch for John the Ripper 1.7.2, which is now up to revision 12. Erik Winkler and I have worked on merging the patches, fixing bugs, testing, etc. Support has been added for: - Mac OS X 10.4+ salted SHA-1 hashes; - two MS SQL hash types (by bartavelle); - MySQL 4.1+ hashes based on SHA-1 (by Marti Raudsepp); - Oracle hashes based on DES (by bartavelle); - HMAC-MD5 (by bartavelle); - LMv2 challenge/response (by JoMo-Kun); - half-of-LM-response (by Dhirendra Singh Kholia); - EPiServer SID hashes (by Johannes Gumbel); - md5(md5($password) . $salt) as commonly used in PHP applications (by Albert Veli). This revision also includes a much faster implementation of old MySQL hashes (by Balazs Bucsay and Peter Kasza). As usual, the jumbo patch is found in the "contributed resources" list on the John the Ripper homepage: http://www.openwall.com/john/ 2. Our PHP password hashing framework - phpass - has been adopted by several major web applications - phpBB3, WordPress, bbPress, and Drupal. The first three have already made stable releases that use phpass password hashes. Drupal currently uses phpass password hashes in development versions leading to the upcoming Drupal 7 release, and there's also a module that makes phpass available with Drupal 5 & 6. Specific information on the way these applications have integrated phpass, as well as relevant links are available on the phpass homepage: http://www.openwall.com/phpass/ Also available on the above page is a Python module port of phpass 0.1 by Alexander Chemeris and a link to the Authen::Passphrase::PHPass Perl module in CPAN by Andrew Main (Zefram). These modules can be used for checking passwords against existing phpass "portable" hashes from scripts written in Python and Perl, respectively. The development of phpass and efforts on getting it into Drupal have been partially supported by CivicActions: http://www.civicactions.com Yes, we're publicly acknowledging companies that fund our work on free and Open Source software (unless we're asked otherwise). :-) Additionally, I have contributed a faster MD5 implementation to PHP, which should appear in PHP 5.3.0+, making phpass "portable" hashes a bit more efficient on those newer versions of PHP. 3. A new minor release of our password strength checking module - pam_passwdqc version 1.0.5 - is out. In this version, the separator characters (used for randomly generated "passphrases") have been replaced with some of those defined by RFC 3986 as being safe within "userinfo" part of URLs without encoding, the default minimum length for passphrases has been reduced from 12 to 11 characters, and corrections to the documentation have been made. The homepage for pam_passwdqc is: http://www.openwall.com/passwdqc/ Currently, pam_passwdqc is known to work on Linux (with Linux-PAM), FreeBSD (with OpenPAM - and in fact, pam_passwdqc is a part of FreeBSD), Solaris 2.6+, and HP-UX 11+. It may also work on other systems that use PAM for password changing. -- Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.