[21545] in bugtraq
Re: Messenger/Hotmail passwords at risk
daemon@ATHENA.MIT.EDU (Mark)
Mon Jul 16 18:05:12 2001
Date: 16 Jul 2001 21:12:38 +0000
Message-ID: <20010716211238.5638.qmail@prefix.bushwire.net>
From: "Mark" <markd-bugtraq@BushWire.Net>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <27B17B8B25A3D411B45800805FA7F01CF68F11@mtvmail.merant.com>; from Michael.Wojcik@merant.com on Mon, Jul 16, 2001 at 10:45:48AM -0700
> The simplest of these, in terms of retrofitting existing systems that use
> one of the constructions Ishikawa mentions, is
>
> H(password || H(password || known-string))
Which is very close to CRAM-MD5. That uses:
H( (password XOR 0x5C) || H( (password XOR 0x36) || challenge-string));
Regards.
