[12545] in bugtraq
Re: networksolutions CRYPT-PW salt (was: Re: Insecure handling of
daemon@ATHENA.MIT.EDU (der Mouse)
Fri Nov 12 12:42:21 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <199911112016.PAA16256@Twig.Rodents.Montreal.QC.CA>
Date: Thu, 11 Nov 1999 15:16:29 -0500
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> [T]his makes networksolutions' crypted passwords far more vulnerable
> to attack using a pre-generated dictionary [...] effectively there is
> no salt at all.
Right. Isn't that delightful of them?
Of course, there's also the question, what if the first two characters
do not belong to the a-zA-Z0-9./ set that are used to represent hashed
passwords? Then the first two chars aren't a valid salt at all.
Feh. Of all the people to make a gross blunder like this....
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
