RE: Re: discover encryption method

["Worrell, Brian" <BWorrell () isdh IN gov>]

Richard,

I recall an Article, located at
http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-crack
er/ .

But beyond that, I have heard for a while that MD5 hashing has been
reversible in a lot of cases.

Not saying that is the answer here, just passing this on.

Thanks
Brian 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of richard () tortoise demon co uk
Sent: Monday, January 07, 2008 3:18 PM
To: security-basics () securityfocus com
Subject: Re: discover encryption method

On Mon, 07 Jan 2008 22:57:50 +0530, Bipin Upadhyay
<muxical.geek () gmail com> wrote:

> RSnake's Hashmaster is just the right thing for you, provided the 
> passwords aren't salt-ed (in which case you might want to right your 
> own
> script.)
> http://ha.ckers.org/hashmaster/
Thanks for the link Bipin.

I don't think the encrypted passwords I'm interested in are hashes.
> From the little I know in this area, I thought that a hash was a
non-reversable process, in that if:
 
hash(A)=hash(B) then probably A=B, but knowing hash(A) does not allow
you to calculate A.

The application I'm dealing with can somehow present the passwords in
cleartext in it's user interface, and so is somehow reconstructing the
text from the encrypted value. I'm supposing it to be encrypted using
some secret key held within the application, but I know neither the key
or the method.

Please correct me if I'm mistaken.

Regards,
Richard