<br><br><div><span class="gmail_quote">On 1/5/07, <b class="gmail_sendername"><a href="mailto:Valdis.Kletnieks@vt.edu">Valdis.Kletnieks@vt.edu</a></b> <<a href="mailto:Valdis.Kletnieks@vt.edu">Valdis.Kletnieks@vt.edu</a>
> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:<br>> This isn't a password disclosure, it's a leak of password information.
<br>><br>> It's a password hash, you super hacker.<br><br>And given the hash, and knowledge of how the hash is computed, it becomes<br>possible to dictionary-attack (and other related techniques), and thus<br>get the actual passwords, unless there are other things in place to ensure
<br>that all users have passwords sufficiently strong to resist those techniques.</blockquote><div><br>yes that's correct but don't forget that hashes can collide<br><br>it could be the case that:<br><br>xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even need the original strong one ;)
<br><br>so strong password is not a countermesure to that<br><br>I beleive that is a BIG security hole<br><br>Regards<br>Waldo<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
And given that this:<br><br>> <a href="http://remote_server/data/users.0.dat">http://remote_server/data/users.0.dat</a><br><br>works, the probability that the hashes represent strong passwords is quite<br>close to nil.
<br><br>In any *practical* sense, the fact that the attacker can get the hash and<br>from that extract/compute at least some passwords means that the passwords<br>are *effectively* disclosed, even if the actual bitstring originally retrieved
<br>isn't the actual password.<br><br><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br><br><br></blockquote></div><br>