Date: Sun, 18 Dec 2005 21:04:35 +0300 From: Solar Designer <solar@...nwall.com> To: john-users@...ts.openwall.com Subject: Re: saltless passwords On Sun, Dec 18, 2005 at 05:39:42PM +0000, Tavis Ormandy wrote: > For some reason, possibly unintentionally, the `passwd` utility provided > by busybox does not use a salt when the md5 algorithm is selected (the > default). This results in encrypted password fields in the format: > > $1$$I2o9Z7NcvQAKp7wyCTlia0 This should be reported to busybox developers as a bug. > this check from valid() in MD5_fmt.c seems to be responsible: > > if (!*pos || pos < &ciphertext || pos > &ciphertext) return 0; In current versions of John the Ripper, this line reads: if (!*pos || pos < &ciphertext || pos > &ciphertext) return 0; I've just made sure that 1.6.40 loads and cracks your sample password file - it does. > Unless there's a good reason for this check, as at least one passwd > implementation in use doesnt seem to generate a salt, maybe this check > should be removed? It needed to be relaxed, not removed, and that had been done some years ago (I don't remember when I did that exactly). Hopefully, it won't take too long before I officially release 1.6.40+ as 1.7. Thanks, -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.