Date: Tue, 5 Jun 2012 10:06:50 +0400 From: Solar Designer <solar@...nwall.com> To: Dmitriy Serebryannikov <DSerebryannikov@...ecurity.ru> Cc: Aleksey Cherepanov <aleksey.4erepanov@...il.com>, hashrunner <hashrunner@...ecurity.com>, john-users@...ts.openwall.com Subject: Re: where are the salts? On Thu, May 31, 2012 at 06:06:20AM +0000, Dmitriy Serebryannikov wrote: > Use empty salt for md5(phpbb3/wordpress) hashes and empty username for DCC2 hashes. JFYI: While empty username for DCC2 hashes is weird and unlikely to be seen in the wild (but I don't rule out the possibility), there's no such thing as empty salt for phpass hashes that phpBB3 and WordPress use. Those 27-char strings, if put into a user database of phpBB3 or WordPress, would probably not allow one to log in with any password at all - so wouldn't it be correct to say that no password matches them? ;-) Now, I am not suggesting to disregard teams' cracked passwords against these hashes, if any (were any cracked by any team?) That was a fun riddle - figure out or guess just what is meant by "empty salt" - and perhaps teams deserve the scores received for this (if any). I am merely saying that this had little to do with cracking of real-world password hashes. Even if such a riddle is somehow seen and solved in the real world, those passwords would not be usable to log in to the target systems. Similarly, the erroneous character in bcrypt hashes (the last salt character that encodes only 2 bits normally, but that somehow had other bits set as well) would prevent logins to accounts where those hashes are set. That is, if we correct the erroneous character, successfully crack the hash, and try to log in with the resulting password, the login will fail. Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.