Date: Tue, 5 Jul 2005 05:33:24 +0400 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: understanding the encryption method On Mon, Jul 04, 2005 at 02:22:16AM -0700, Lyn Scott wrote: > --- Solar Designer <solar@...nwall.com> wrote: > > > The traditional DES-based crypt(3) hashes discard > > characters past 8. [...] > Now i am a little confused... that means if i try to > login using "user_1" as user and "my_passw" instead of > "my_passwd"...it should work? That also means that i > can use "my_passwx" or "my_pass12345" for the password > and it should work too? Correct. > I try to login with > "my_passw" and "my_passwx" but... it doesn't work. > It only works with "my_passwd"!! Now this is interesting. If this user's password hash is expressed with a 13-character string that John cracked as "my_passw", yet logins with "alternate forms" of this password fail as you say, this leaves us the only guess that your system stores the "real" password hashes elsewhere. (Of course, it is also possible that you've made a mistake in your testing.) I've never used OpenUnix 8 myself, so the above is just a guess. I'd try looking under /etc/security for possible alternate password files. Of course, even if better hashes are being used, it would be possible to crack first 8 characters of any password separately and then use that knowledge to crack the remaining characters quickly. So this compatibility feature, if that's what it is, comes at a security cost. Please let the list know of your findings. Thanks, -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.