Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Oct 2022 20:02:17 +0200
From: Matthias Apitz <>
Subject: Re: using john to decrypt DES hashes

El día jueves, octubre 13, 2022 a las 06:07:02p. m. +0200, Solar Designer escribió:

> On Thu, Oct 13, 2022 at 03:55:32PM +0200, Matthias Apitz wrote:
> > Do I understand you correct: I yescrypt all DES strings in the database
> > and when the user presents the PIN 4711 I first crypt the with DES and
> > the old salt 'xX' and the result with yescrypt and the stored "$y$...."  
> > salt and when this match the user is authenticated, correct?
> That's correct.
> In your example, though, a 4-digit PIN is too weak even when you use
> yescrypt.  You'll probably want to also introduce a password policy,
> such as by using our passwdqc.

Thanks. I didn't wanted to stress with all details. The PIN can be upto
40 bytes long (minimum is 11), is broken into pieces of 8 and DES encrypted
each part, resulting hashes are then concatenated with the salt only once
in front of the concatenation. This is some kind of standard procedure, I don't
remember it's name now.


Matthias Apitz, ✉, +49-176-38902045
Public GnuPG key:

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.