Penetration Testing mailing list archives
RE: Validating if password is encoded or encrypted
From: Maksim.Filenko () fuib com
Date: Mon, 12 Sep 2011 17:37:23 +0300
Hey Karen, It is possible for passwords to be encrypted (i.e. with AES) and then encoded with Base64 before storing it in DB. What do you get after decoding those Base64 strings? Binary data? wbr, - Max
Hi Everyone, I'm currently reviewing an app prior to launching to our prod. One of our security requirements is for the password to be encrypted. When i checked the password field in db, i noticed that all passwords are ending with a double equal sign e.g "==". I am under the impression that they are just base64 encoded rather than encrypted. However, i tried decoding it using base64 but i'm not getting a valid data. Am i right in saying that the password is encoded? If yes with what e.g. base64? How can i prove or show them that this the password is just encoded rather than encrypted? Or is it encrypted?
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Validating if password is encoded or encrypted Karen Sy (Sep 06)
- RE: Validating if password is encoded or encrypted Maksim . Filenko (Sep 16)
- RE: Validating if password is encoded or encrypted Abe (Sep 17)
- RE: Validating if password is encoded or encrypted Maksim . Filenko (Sep 16)