Bugtraq mailing list archives

Re: Messenger/Hotmail passwords at risk

From: Peter van Dijk <peter () dataloss nl>
Date: Mon, 9 Jul 2001 21:24:29 +0200

On Fri, Jul 06, 2001 at 09:32:36PM -0000, gregory duchemin wrote:
[snip]

the hash creation process is as follow:
======================================

say user toto has a password "titan"
then his client generate the string "yyyyyyyyy.yyyyyyyyytitan" and the 
according MD5 hash, say xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
the client send MD5(yyyyyyyyy.yyyyyyyyytitan) on the wire.


This is the exact same thing APOP does - server sends a string, client
appends password to string, takes MD5 hash and sends back. If your
cracker is what you say it is (I haven't checked) then APOP should be
just as vulnerable.

Greetz, Peter
-- 
Against Free Sex!   http://www.dataloss.nl/Megahard_en.html

Current thread:

Messenger/Hotmail passwords at risk gregory duchemin (Jul 09)
- Re: Messenger/Hotmail passwords at risk aleph1 (Jul 09)
- Re: Messenger/Hotmail passwords at risk Peter van Dijk (Jul 09)
- Re: Messenger/Hotmail passwords at risk Jeffrey W. Baker (Jul 09)
  - Re: Messenger/Hotmail passwords at risk Pavel Kankovsky (Jul 10)
    - Re: Messenger/Hotmail passwords at risk Gaurav Agarwal (Jul 15)
    - Re: Messenger/Hotmail passwords at risk Martin Macok (Jul 16)
- <Possible follow-ups>
- Re: Messenger/Hotmail passwords at risk Ishikawa (Jul 15)
- Re: Messenger/Hotmail passwords at risk gregory duchemin (Jul 16)
- RE: Messenger/Hotmail passwords at risk Michael Wojcik (Jul 16)
  - Re: Messenger/Hotmail passwords at risk Mark (Jul 16)