Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Jun 2012 10:32:42 +0200
From: Per Thorsheim <>
To: "" <>
Cc: "" <>
Subject: Re: Re: EPiServer format fails on 32-bit builds.


Do not be afraid of looking at the hashcat thread on episerver: for info.

Twitter: @skradel & @klingsen have made blog posts about this stuff, and Troy Hunt ( is working on something as well.

Best regards,
Per Thorsheim

Den 22. juni 2012 kl. 10:19 skrev Frank Dittrich <>:

> On 06/22/2012 10:03 AM, Dhiru Kholia wrote:
>> 18 is the upper bound. I will fix my source to use this upper bound.
> 18 is the upper bound only if the base64 encoded salt is not longer than
> 24 characters.
> Since valid() doesn't verify this, if is still possible to break this
> format.
> I am, however, not sure if valid() should reject hashes if the base64
> encoded salt is longer than 24 characters, or if the format should be
> able to handle a larger salt size (and if so, which one).
> Googling for "aspnet_membership passwordformat" I found this link:
> Not sure if this also applies to episerver.
> But
> PasswordSalt
> nvarchar(128)
> Randomly generated 128-bit value used to salt password hashes; stored in
> base-64-encoded form
> generates more confusion than it clarifies anything.
> 128 characters, bytes, or bits?
> Before or after base64 encoding?
> No idea.
> Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.