Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Mar 2013 17:28:06 +0100
From: Frank Dittrich <>
Subject: Re: Cisco - Password type 4 - SHA256

On 03/16/2013 02:54 PM, Dhiru Kholia wrote:
> On Sat, Mar 16, 2013 at 5:48 PM, <> wrote:
>> Yeah so I released code on #openwall
> Thanks.
> I have made a crappy format for this,

Your implementation uses PLAINTEXT_LENGTH 125.
Is the max. length supported by Cisco documented somewhere, or can you
test it?
E.g., use a password of length 128, then try the 64 leading characters,
see if the hash differs or not, and find out the correct length applying
a binary search...

Also, can you make sure the algorithm really distinguishes upper and
lower case characters?

What about trying some non-ascii characters?
You specified FMT_8_BIT, so you should verify that those characters are
not "truncated" to 7 bits (or even converted to UTF-8).

> Ideally, one time base64 decoding should be used instead of repetitive
> base64 encoding.

The valid() implementation could need additional checks.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.