Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Validating if password is encoded or encrypted

From: Maksim.Filenko () fuib com
Date: Mon, 12 Sep 2011 17:37:23 +0300
Hey Karen,

It is possible for passwords to be encrypted (i.e. with AES) and then 
encoded with Base64 before storing it in DB.

What do you get after decoding those Base64 strings? Binary data?

wbr,
 - Max


Hi Everyone,  I'm currently reviewing an app prior to launching to our
prod. One of our security requirements is for the password to be
encrypted.
When i checked the password field in db, i noticed that all passwords
are ending with a double equal sign e.g "==".
I am under the impression that they are just base64 encoded rather
than encrypted. However, i tried decoding it using base64 but i'm not
getting a valid data.

Am i right in saying that the password is encoded? If yes with what 
e.g. base64?
How can i prove or show them that this the password is just encoded
rather than encrypted?
Or is it encrypted?


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: