WebApp Sec mailing list archives
Re: random character checking at logon
From: "Amit Klein (AKsecurity)" <aksecurity () hotpop com>
Date: Wed, 20 Apr 2005 23:14:48 +0200
On 20 Apr 2005 at 14:59, jimtames () yahoo com wrote:
Hi, Any advice on this puzzle would really be appreciated.
Well, here's an idea. To simplify, let's say all passwords are 8 chars, and that you need to choose 7 chars out of the 8 and provide them. Now, you store the sum (mod 256) of all 8 bytes of the password, together with a 1-way hash. When you're provided with 7 chars of the password, add them up, and subtract the number (mod 256) from the sum you have in the DB. The result is the missing char. Now put that char in place, and you have reconstructed the (candidate) password. Use the same 1-way function, and compare to the hash you have in the DB. Of course, this decreases the effective space for the password brute forcing by 1 byte. You can also use XOR instead of mod 256 addition. I *think* this can be extended to choosing N out of 8 chars, but I'll have to think about it. I know that it can be extended easily in one way, but it requires runtime (not DB space though). -Amit
Current thread:
- random character checking at logon jimtames (Apr 20)
- Re: random character checking at logon Tim (Apr 21)
- Re: random character checking at logon Amit Klein (AKsecurity) (Apr 21)