Bugtraq mailing list archives

Re: networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords)

From: jlewis () LEWIS ORG (jlewis () LEWIS ORG)
Date: Sat, 13 Nov 1999 17:28:49 -0500


On Thu, 11 Nov 1999, der Mouse wrote:

[T]his makes networksolutions' crypted passwords far more vulnerable
to attack using a pre-generated dictionary [...] effectively there is
no salt at all.


Right.  Isn't that delightful of them?

Of course, there's also the question, what if the first two characters
do not belong to the a-zA-Z0-9./ set that are used to represent hashed
passwords?  Then the first two chars aren't a valid salt at all.


I don't know if this has been overlooked, or if people are just assuming
that most will use NetSlo's web forms...but you're free to send them your
own personally crypted password.  I didn't even know they had a form for
creating your crypted password.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________

Current thread:

Re: networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) der Mouse (Nov 11)
- Re: networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) jlewis () LEWIS ORG (Nov 13)