Penetration Testing mailing list archives
Re: Validating if password is encoded or encrypted
From: Sergey Soldatov <votadlos () gmail com>
Date: Mon, 3 Oct 2011 08:19:41 +0400
Hello, Karen. If something is encrypted, cypher text is pseudorandom. This is also true for hash function (aka message digest like MD4, MD5, SHA, etc) output. Pseudo random sequences are not compressed by archives. So, you can check that stored encrypted passwords are random: take a number of them and from text that then try to archive (let it be ZIP, for example). If they compressed well, they are not output from good encryption algorithm or hash function. It they BASE64-encoded its better to decode them before this experiment, you should take clean encryption/hash algorithm output. On Sat, Sep 17, 2011 at 9:05 PM, Abe <abek1 () comcast net> wrote:
Most APIs will give you a byte array after Base64 decoding. Once you have the byte array you will need to pass that to the string constructor and specify the character set used on the system where the passwords were stored. Usually the passwords will be base64 encoded before being stored in the db so when you convert the base64 decoded bytes into a string you either want to do this on the same system that base64 encoded the data using the default character set or on your system and ensure that the character set on your system matches that on the system which does the base64 encoding or if they don't match you will need to specify the character set used to create the string object from bytes. Then you can reliable look at the string data to see if it resembles viable passwords or encrypted characters. By the way, if you are doing this on live systems then it could be exposing actual user passwords. Regards, Abe -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Maksim.Filenko () fuib com Sent: Monday, September 12, 2011 7:37 AM To: Karen Sy Cc: listbounce () securityfocus com; pen-test () securityfocus com Subject: RE: Validating if password is encoded or encrypted Hey Karen, It is possible for passwords to be encrypted (i.e. with AES) and then encoded with Base64 before storing it in DB. What do you get after decoding those Base64 strings? Binary data? wbr, - MaxHi Everyone, I'm currently reviewing an app prior to launching to our prod. One of our security requirements is for the password to be encrypted. When i checked the password field in db, i noticed that all passwords are ending with a double equal sign e.g "==". I am under the impression that they are just base64 encoded rather than encrypted. However, i tried decoding it using base64 but i'm not getting a valid data. Am i right in saying that the password is encoded? If yes with what e.g. base64? How can i prove or show them that this the password is just encoded rather than encrypted? Or is it encrypted?------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Best regards, Sergey V. Soldatov, CISA, CISSP Want to discuss information security? Visit reply-to-all.blogspot.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Validating if password is encoded or encrypted Sergey Soldatov (Oct 03)
- Re: Validating if password is encoded or encrypted Omar Herrera (Oct 04)