Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 5 Jul 2005 05:33:24 +0400
From: Solar Designer <>
Subject: Re: understanding the encryption method

On Mon, Jul 04, 2005 at 02:22:16AM -0700, Lyn Scott wrote:
> --- Solar Designer <> wrote:
> > The traditional DES-based crypt(3) hashes discard
> > characters past 8.

> Now i am a little confused... that means if i try to
> login using "user_1" as user and "my_passw" instead of
> "my_passwd" should work? That also means that i
> can use "my_passwx" or "my_pass12345" for the password
> and it should work too?


> I try to login with
> "my_passw" and "my_passwx" but... it doesn't work.
> It only works with "my_passwd"!!

Now this is interesting.  If this user's password hash is expressed with
a 13-character string that John cracked as "my_passw", yet logins with
"alternate forms" of this password fail as you say, this leaves us the
only guess that your system stores the "real" password hashes elsewhere.
(Of course, it is also possible that you've made a mistake in your testing.)

I've never used OpenUnix 8 myself, so the above is just a guess.  I'd
try looking under /etc/security for possible alternate password files.

Of course, even if better hashes are being used, it would be possible to
crack first 8 characters of any password separately and then use that
knowledge to crack the remaining characters quickly.  So this compatibility
feature, if that's what it is, comes at a security cost.

Please let the list know of your findings.


Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Was I helpful?  Please give your feedback here:

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.