Bugtraq mailing list archives
Re: Messenger/Hotmail passwords at risk
From: Peter van Dijk <peter () dataloss nl>
Date: Mon, 9 Jul 2001 21:24:29 +0200
On Fri, Jul 06, 2001 at 09:32:36PM -0000, gregory duchemin wrote: [snip]
the hash creation process is as follow: ====================================== say user toto has a password "titan" then his client generate the string "yyyyyyyyy.yyyyyyyyytitan" and the according MD5 hash, say xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. the client send MD5(yyyyyyyyy.yyyyyyyyytitan) on the wire.
This is the exact same thing APOP does - server sends a string, client appends password to string, takes MD5 hash and sends back. If your cracker is what you say it is (I haven't checked) then APOP should be just as vulnerable. Greetz, Peter -- Against Free Sex! http://www.dataloss.nl/Megahard_en.html
Current thread:
- Messenger/Hotmail passwords at risk gregory duchemin (Jul 09)
- Re: Messenger/Hotmail passwords at risk aleph1 (Jul 09)
- Re: Messenger/Hotmail passwords at risk Peter van Dijk (Jul 09)
- Re: Messenger/Hotmail passwords at risk Jeffrey W. Baker (Jul 09)
- Re: Messenger/Hotmail passwords at risk Pavel Kankovsky (Jul 10)
- Re: Messenger/Hotmail passwords at risk Gaurav Agarwal (Jul 15)
- Re: Messenger/Hotmail passwords at risk Martin Macok (Jul 16)
- Re: Messenger/Hotmail passwords at risk Pavel Kankovsky (Jul 10)
- <Possible follow-ups>
- Re: Messenger/Hotmail passwords at risk Ishikawa (Jul 15)
- Re: Messenger/Hotmail passwords at risk gregory duchemin (Jul 16)
- RE: Messenger/Hotmail passwords at risk Michael Wojcik (Jul 16)
- Re: Messenger/Hotmail passwords at risk Mark (Jul 16)