RE: Validating if password is encoded or encrypted
- From: Maksim.Filenko@xxxxxxxx
- Date: Mon, 12 Sep 2011 17:37:23 +0300
Hey Karen,
It is possible for passwords to be encrypted (i.e. with AES) and then
encoded with Base64 before storing it in DB.
What do you get after decoding those Base64 strings? Binary data?
wbr,
- Max
Hi Everyone, I'm currently reviewing an app prior to launching to our
prod. One of our security requirements is for the password to be
encrypted.
When i checked the password field in db, i noticed that all passwords
are ending with a double equal sign e.g "==".
I am under the impression that they are just base64 encoded rather
than encrypted. However, i tried decoding it using base64 but i'm not
getting a valid data.
Am i right in saying that the password is encoded? If yes with what
e.g. base64?
How can i prove or show them that this the password is just encoded
rather than encrypted?
Or is it encrypted?
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
- Follow-Ups:
- References:
- Validating if password is encoded or encrypted
- From: Karen Sy
- Validating if password is encoded or encrypted
- Prev by Date: Insomnia: Whitepaper - LFI With PHPInfo Assistance
- Next by Date: Re: Vulnerability scanning routines - what is overkill.
- Previous by thread: Validating if password is encoded or encrypted
- Next by thread: RE: Validating if password is encoded or encrypted
- Index(es):
Relevant Pages
|
