Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords

from [Jim Knoble] Network Security [Permanent Link]
Subject: Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords
Date: Wed, 20 Apr 2005 22:58:34 -0400 
Circa 2005-04-20 dixit Jim C. Nasby:

: Actually, it's not as silly as you think. You can download rainbow
: tables for Windows/LanMan passwords up to 14 or 15 characters in length.
: Given the password hash and some code, you can determine the user's
: password in a matter of minutes.

I thought the idea of the salt was to aid in expanding the keyspace.
Even though the salt is known (in traditional Unix
passwd/shadow/master.passwd databases, it's stored at the beginning of
the password field), appending the salt to the password expands the
keyspace to length(password) + length(salt).  With a (barely) reasonable
8-byte password and an 8-byte salt, that gives you a 128-bit key (if you
use password+salt as the key).  Remember that the keyspace for a 16-byte
password is (theoretically) 256 times as large as the keyspace for a
15-byte password.  If you require 10- or 12-byte passwords and add 12
bytes of salt, you approach 192-bit keys and get a keyspace between
10^14 and 10^21 times as large as 15-byte passwords (assuming your
password hash algorithm can handle 192-bit keys).  Even a 160-bit key
(20 bytes = 10-byte password + 10-byte salt) has a formidable keyspace,
for now, assuming high-quality keys: 10^48 keys * 20 bytes is a lot of
storage space.

: Simply put, MD5 is no longer strong enough for protecting secrets. It's
: just too easy to brute-force. SHA1 is ok for now, but it's days are
: numbered as well. I think it would be good to alter SHA1 (or something
: stronger) as an alternative to MD5[...].

"Something stronger" being bcrypt-2a, based on Blowfish.  Solar
Designer's public domain implementation is here:

    http://www.openwall.com/crypt/

-- 
jim knoble  |  jmknoble@pobox.com  |  http://www.pobox.com/~jmknoble/
(GnuPG fingerprint: 809F:09B9:9686:D035:4AB0::9455:124B:0A62:DD6A:76D6)
 .....................................................................
 :"The methods now being used to merchandise the political candidate :
 : as though he were a deodorant positively guarantee the electorate :
 : against ever hearing the truth about anything."   --Aldous Huxley :
 :...................................................................:
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Stephen Frost
Next by Date:  MDKSA-2005:073 - Updated cvs packages fix vulnerability, Mandriva Security Team
Previous by Thread:  Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted, Michael Samuel
Next by Thread:  RE: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords, Mike Fratto
Indexes:  [Date] [Thread] [Top] [All Lists]