Penetration Testing mailing list archives
RE: Craking Serv-u passwords stored in .ini file.
From: "M. D." <nekromancer () lycos com>
Date: Sat, 04 Sep 2004 17:01:41 +0000
avarni () tech cj com wrote:
It would have been much stronger, for example, the following: 1) hash the password, with or without prepending the salt, doesn't matter. I'm not using it in this example: password: test MD5 hash: 098F6BCD4621D373CADE4E832627B4F6 2) append the salt to the hash: new "password": ab098F6BCD4621D373CADE4E832627B4F6 3) hash the resulting string: new MD5 hash: BDF3BAAC3C947956A57CFA97310B5DE0 4) append the salt to the last hash if you like, but I don't see any particular reason to do soHuh? Salting does make things harder for password crackers. And yes, you need to display the salt in plaintext. If you skip step #4 as you propose here, then how does the authentication program know which salt was used?
I'm saying that I don't see any reason to append the cleartext salt to the final hash, not that I don't see reasons to use salt. In fact I suggest to use salt! And the authentication program doesn't need to know in advance which salt was used if it is as simple as above, please read below.
Prepending or appending the cleartext salt is a requirement. Otherwise you'd have to check all possible salts each time someone tries to authenticate.
Disagree. If the salt is 2 lowercase alpha characters, as it *seems* to be the case in all examples of Serv-u I've seen in this thread, you've 26^2 possible salts (don't rush for the calculator, that's 676). Taking the user input (password), creating an internal table with the 676 possible salted passwords and then doing the double hashing mentioned above (you DON'T have to try each of the 676 salts AGAIN, just use the same one!) won't take long for your program (<1 second?), and you avoid giving that extra bit of information to an eventual cracker. If the salt is devilish more complex I agree that it'll be a better idea to provide it to the authentication program somehow if performance is an issue. I hope that it's clearer now. Cheers, Nekromancer -- _______________________________________________ Find what you are looking for with the Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Craking Serv-u passwords stored in .ini file., (continued)
- RE: Craking Serv-u passwords stored in .ini file. Ferruh Mavituna (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Altheide, Cory B. (IARC) (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Ferruh Mavituna (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Scovetta, Michael V (Sep 02)
- RE: Craking Serv-u passwords stored in .ini file. Altheide, Cory B. (IARC) (Sep 02)
- Re: Craking Serv-u passwords stored in .ini file. Nigel Stepp (Sep 04)
- RE: Craking Serv-u passwords stored in .ini file. M. D. (Sep 03)
- RE: Craking Serv-u passwords stored in .ini file. avarni (Sep 04)
- Re: Craking Serv-u passwords stored in .ini file. Hans Porter (Sep 07)
- Re: Craking Serv-u passwords stored in .ini file. Jérôme (Sep 03)
- RE: Craking Serv-u passwords stored in .ini file. M. D. (Sep 08)