[12570] in bugtraq
Re: networksolutions CRYPT-PW salt (was: Re: Insecure handling of
daemon@ATHENA.MIT.EDU (jlewis@LEWIS.ORG)
Sat Nov 13 22:02:20 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9911131723390.3632-100000@redhat1.mmaero.com>
Date: Sat, 13 Nov 1999 17:28:49 -0500
Reply-To: jlewis@LEWIS.ORG
From: jlewis@LEWIS.ORG
X-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <199911112016.PAA16256@Twig.Rodents.Montreal.QC.CA>
On Thu, 11 Nov 1999, der Mouse wrote:
> > [T]his makes networksolutions' crypted passwords far more vulnerable
> > to attack using a pre-generated dictionary [...] effectively there is
> > no salt at all.
>
> Right. Isn't that delightful of them?
>
> Of course, there's also the question, what if the first two characters
> do not belong to the a-zA-Z0-9./ set that are used to represent hashed
> passwords? Then the first two chars aren't a valid salt at all.
I don't know if this has been overlooked, or if people are just assuming
that most will use NetSlo's web forms...but you're free to send them your
own personally crypted password. I didn't even know they had a form for
creating your crypted password.
----------------------------------------------------------------------
Jon Lewis *jlewis@lewis.org*| Spammers will be winnuked or
System Administrator | nestea'd...whatever it takes
Atlantic Net | to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________
