Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120605061340.GB15861@openwall.com>
Date: Tue, 5 Jun 2012 10:13:40 +0400
From: Solar Designer <solar@...nwall.com>
To: Dmitriy Serebryannikov <DSerebryannikov@...ecurity.ru>
Cc: Aleksey Cherepanov <aleksey.4erepanov@...il.com>,
	hashrunner <hashrunner@...ecurity.com>,
	john-users@...ts.openwall.com
Subject: Re: where are the salts?

On Tue, Jun 05, 2012 at 10:06:50AM +0400, Solar Designer wrote:
> While empty username for DCC2 hashes is weird and unlikely to be seen in
> the wild (but I don't rule out the possibility), there's no such thing
> as empty salt for phpass hashes that phpBB3 and WordPress use.  Those
> 27-char strings, if put into a user database of phpBB3 or WordPress,
> would probably not allow one to log in with any password at all - so
> wouldn't it be correct to say that no password matches them? ;-)

I meant 26-char.  The full/correct phpass hash encodings are 34-char.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.