Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2011 08:29:22 +0400
From: Solar Designer <>
Subject: Re: Either my test script is b0rken or BF has an 8-bit bug

On Mon, Jun 20, 2011 at 07:29:06AM +0400, Solar Designer wrote:
> For passwords of length n*4-1 (3, 7, 11, 15, ...), 8-bit characters in
> positions i*4 (4, 8, 12, ...) result in hashes incompatible with
> OpenBSD's, but without any characters ignored (no security risk).  These
> are similar to passwords of other lengths.

I was wrong about this.  Such passwords (of length 7 and above only,
obviously) have as many as three characters ignored.

> Thus, the probability for an arbitrary password with a single 8-bit
> character to have any of its characters ignored may be estimated as
> 1/8 (assuming uniform distribution of password lengths and of positions
> in which the 8-bit character may be).

This changes to 3/16.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.