Re: Google Desktop Search

[mike () ampeisch com]

Not necessarily -- that's what "salt" characters are for in crypto. Check
out "Applied Cryptography".  The added value is that if you have the plain
text password, you have the password, if you have the hash, you still have
to crack it, or BF it.  MD5sum is one of the methods that Unix/Linux use
for OS password storage.  What Yahoo is doing isn't perfect, but it's a
damn site better than pointless.

M.



> What is the added benefit of sending MD5 hashes instead of plain-text
> passwords? I mean, the MD5 hash will be the same for the same password,
> isn't it?
>
> I hope that Yahoo has implemented something more complicated that that,
> otherwise it is plain pointless.
>
> -- rem.
>
> mike () ampeisch com wrote:
> >  Read the javascript in the headers of Yahoo's login page:
> >
> > <-- Begin javascript comments from Yahoo -->
> > /*
> >  * A JavaScript implementation of the RSA Data Security, Inc. MD5
> > Message
> >  * Digest Algorithm, as defined in RFC 1321.
> >  * Copyright (C) Paul Johnston 1999 - 2000.
> >  * Updated by Greg Holt 2000 - 2001.
> >  * See http://pajhome.org.uk/site/legal.html for details.
> >  */
> >
> > <-- End Javascript comments from Yahoo -->
> >
> > THEY don't even cache, or pass, your password. Like all secure programs,
> > they store, and transmit, an MD5 Sum.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html