Date: Fri, 22 Jun 2012 10:19:16 +0200 From: Frank Dittrich <frank_dittrich@...mail.com> To: john-dev@...ts.openwall.com Subject: Re: Re: EPiServer format fails on 32-bit builds. On 06/22/2012 10:03 AM, Dhiru Kholia wrote: > 18 is the upper bound. I will fix my source to use this upper bound. 18 is the upper bound only if the base64 encoded salt is not longer than 24 characters. Since valid() doesn't verify this, if is still possible to break this format. I am, however, not sure if valid() should reject hashes if the base64 encoded salt is longer than 24 characters, or if the format should be able to handle a larger salt size (and if so, which one). Googling for "aspnet_membership passwordformat" I found this link: http://msdn.microsoft.com/en-us/library/aa478949.aspx Not sure if this also applies to episerver. But PasswordSalt nvarchar(128) Randomly generated 128-bit value used to salt password hashes; stored in base-64-encoded form generates more confusion than it clarifies anything. 128 characters, bytes, or bits? Before or after base64 encoding? No idea. Frank
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.