Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 22 Jun 2012 10:32:42 +0200
From: Per Thorsheim <per@...rsheim.net>
To: "john-dev@...ts.openwall.com" <john-dev@...ts.openwall.com>
Cc: "john-dev@...ts.openwall.com" <john-dev@...ts.openwall.com>
Subject: Re: Re: EPiServer format fails on 32-bit builds.

Gentlemen;

Do not be afraid of looking at the hashcat thread on episerver: http://hashcat.net/forum/thread-987.html?highlight=Episerver for info.

Twitter: @skradel & @klingsen have made blog posts about this stuff, and Troy Hunt (troyhunt.com) is working on something as well.


Best regards,
Per Thorsheim

Den 22. juni 2012 kl. 10:19 skrev Frank Dittrich <frank_dittrich@...mail.com>:

> On 06/22/2012 10:03 AM, Dhiru Kholia wrote:
>> 18 is the upper bound. I will fix my source to use this upper bound.
> 
> 18 is the upper bound only if the base64 encoded salt is not longer than
> 24 characters.
> Since valid() doesn't verify this, if is still possible to break this
> format.
> I am, however, not sure if valid() should reject hashes if the base64
> encoded salt is longer than 24 characters, or if the format should be
> able to handle a larger salt size (and if so, which one).
> 
> Googling for "aspnet_membership passwordformat" I found this link:
> 
> http://msdn.microsoft.com/en-us/library/aa478949.aspx
> 
> Not sure if this also applies to episerver.
> But
> 
> PasswordSalt
> nvarchar(128)
> Randomly generated 128-bit value used to salt password hashes; stored in
> base-64-encoded form
> 
> generates more confusion than it clarifies anything.
> 128 characters, bytes, or bits?
> Before or after base64 encoding?
> No idea.
> 
> Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.