Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 23 Oct 2014 21:10:08 -0400
From: David <>
Subject: Crashplan

Hello All,

I’ve been using CrashPlan for a while now, and finally decided it was time to do a little research into their handling of passwords.  They say the backups themselves are encrypted with a Blowfish key (128 or 448 bit depending on whether you’re a free or paid customer) which they keep a copy of and “lock” with a salted and hashed version of either your account password or archive key password, unless you provide your own blowfish key.  I also just did a tech support chat with CrashPlan and asked for more details and they pointed me at this pdf:  This says that “on the client, the account password is salted with a 64-bit random number and hashed multiple times using SHA-1."

Anyway, if you back up to your own storage (or to a friend’s storage), they say they store the “secured key” with your backup files for the “guest restore” feature.  It appears that the password hash is stored in a file called inside your backup directory, but john doesn’t recognize the format by default.  I have access to several different accounts’ files since several family members use me as a backup destination, and they all follow the format:


where the x’es are different per account, but all of them have the \=\: in the middle and \= at the end.  How do we get John to process these hashes?


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.