Full Disclosure mailing list archives
Re: password hash, funny myth in the industry!
From: phioust <phioust () gmail com>
Date: Tue, 16 Oct 2007 15:12:06 -0500
On 10/16/07, Bipin Gautam <gautam.bipin () gmail com> wrote:
Consider the fact, many websites/forums don't use password hash+salt, just password hash( generally SHA1, MD5) that gets computer client side and POSTED to the web-forum for user authentication.
Is "computer" supposed to be "computed" ? Based on your post i think its supposed to be and if so you are an idiot. The browser does not hash your password in anyway nor is there directives to tell your browser to do so. the clear text pass is sent in the post so of course you can sniff but at this post says 1000s of username/password combos were dropped so who is going to sniff all those machines? instead just using the password hash itself
manipulating the POST request.
The hash is not sent in the request - the clear text is and the server side code (php,asp,whatever) hashes it before checking it against the databse. you suck at life.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- password hash, funny myth in the industry! Bipin Gautam (Oct 16)
- Re: password hash, funny myth in the industry! Thierry Zoller (Oct 16)
- Re: password hash, funny myth in the industry! phioust (Oct 16)
- Re: password hash, funny myth in the industry! upb (Oct 17)
- Re: password hash, funny myth in the industry! Stephan G. (Oct 17)
- Re: password hash, funny myth in the industry! Valdis . Kletnieks (Oct 17)
- <Possible follow-ups>
- Re: password hash, funny myth in the industry! full-disclosure (Oct 16)
- Re: password hash, funny myth in the industry! full-disclosure (Oct 16)