Date: Fri, 22 Jun 2012 10:32:42 +0200 From: Per Thorsheim <per@...rsheim.net> To: "john-dev@...ts.openwall.com" <john-dev@...ts.openwall.com> Cc: "john-dev@...ts.openwall.com" <john-dev@...ts.openwall.com> Subject: Re: Re: EPiServer format fails on 32-bit builds. Gentlemen; Do not be afraid of looking at the hashcat thread on episerver: http://hashcat.net/forum/thread-987.html?highlight=Episerver for info. Twitter: @skradel & @klingsen have made blog posts about this stuff, and Troy Hunt (troyhunt.com) is working on something as well. Best regards, Per Thorsheim Den 22. juni 2012 kl. 10:19 skrev Frank Dittrich <frank_dittrich@...mail.com>: > On 06/22/2012 10:03 AM, Dhiru Kholia wrote: >> 18 is the upper bound. I will fix my source to use this upper bound. > > 18 is the upper bound only if the base64 encoded salt is not longer than > 24 characters. > Since valid() doesn't verify this, if is still possible to break this > format. > I am, however, not sure if valid() should reject hashes if the base64 > encoded salt is longer than 24 characters, or if the format should be > able to handle a larger salt size (and if so, which one). > > Googling for "aspnet_membership passwordformat" I found this link: > > http://msdn.microsoft.com/en-us/library/aa478949.aspx > > Not sure if this also applies to episerver. > But > > PasswordSalt > nvarchar(128) > Randomly generated 128-bit value used to salt password hashes; stored in > base-64-encoded form > > generates more confusion than it clarifies anything. > 128 characters, bytes, or bits? > Before or after base64 encoding? > No idea. > > Frank
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.