Bugtraq mailing list archives
Re: networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords)
From: jlewis () LEWIS ORG (jlewis () LEWIS ORG)
Date: Sat, 13 Nov 1999 17:28:49 -0500
On Thu, 11 Nov 1999, der Mouse wrote:
[T]his makes networksolutions' crypted passwords far more vulnerable to attack using a pre-generated dictionary [...] effectively there is no salt at all.Right. Isn't that delightful of them? Of course, there's also the question, what if the first two characters do not belong to the a-zA-Z0-9./ set that are used to represent hashed passwords? Then the first two chars aren't a valid salt at all.
I don't know if this has been overlooked, or if people are just assuming that most will use NetSlo's web forms...but you're free to send them your own personally crypted password. I didn't even know they had a form for creating your crypted password. ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| Spammers will be winnuked or System Administrator | nestea'd...whatever it takes Atlantic Net | to get the job done. _________http://www.lewis.org/~jlewis/pgp for PGP public key__________
Current thread:
- Re: networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) der Mouse (Nov 11)
- Re: networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) jlewis () LEWIS ORG (Nov 13)