Re: Password Cracking Challenge...

From: Justin Pryzby (justinpryzby_at_users.sf.net)
Date: 07/28/03

  • Next message: Knud Erik Højgaard: "Re: perl/php connect-back backdoor?" 
    Date: Mon, 28 Jul 2003 12:44:45 -0700
To: vuln-dev@securityfocus.com

    Can't say for sure, but the zero's are interesting. I know the MS NTLM
    scheme takes passwords longer than 7(?) and breaks them up into two
    passwords, each of maximum length 7(?). That's the first thing I'd try.
    The encryption is documented, [http://www.innovation.ch/java/ntlm.html]
    is a good starting point.

    Justin
    On Mon, Jul 28, 2003 at 10:36:04PM +0000, Ronish Mehta wrote:
    > Below is a list of password (case sensitive) together
    > with the encrypted password, is it possible to
    > determine the algorithm used to hash the passwords
    > with this sample?

  • Next message: Knud Erik Højgaard: "Re: perl/php connect-back backdoor?"

    Relevant Pages

    • Re: [SLE] RedHat to Suse migration
      ... the passwords are hashed using DES which is completely ... If the encrypted password begins with the special string "$1$" then it ... if the encrypted password begins with string "$2a$" (the crypt ...
      (SuSE)
    • Re: store passwords securely
      ... client side plug-in or some sort to retrieve the encrypted password from ... the server and decode it using some private key at client side. ... If the server is penetrated, the passwords will be lost. ...
      (Security-Basics)
    • RE: Password Cracking Challenge...
      ... > with the encrypted password, ... > determine the algorithm used to hash the passwords ... what would the hash for the password: ... You don't mention whether this is an algorithm you constructed just for this ...
      (Vuln-Dev)
    • Shadowed passwords?
      ... We just went through a courtesy security audit. ... passwords are shadowed and some are not. ... some had one asterisk and some had the long weird looking ... encrypted password. ...
      (comp.security.unix)
    • Re: Password variation scheme a plus in security?
      ... Unless your scheme is easily guessable, or I have grabbed two or more of your passwords along with the sites you use them on, you don't have nearly as much to worry about. ... immediately successful logins, ... and from these maybe 90.000 give them immediate login success ...
      (Security-Basics)