Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: random character checking at logon

from [Amit Klein (AKsecurity)] Network Security [Permanent Link]
Subject: Re: random character checking at logon
Date: Wed, 20 Apr 2005 23:14:48 +0200 
On 20 Apr 2005 at 14:59, jimtames@yahoo.com wrote:




Hi,

Any advice on this puzzle would really be appreciated.



Well, here's an idea. To simplify, let's say all passwords are 8 
chars, and that you need to choose 7 chars out of the 8 and provide 
them. 
Now, you store the sum (mod 256) of all 8 bytes of the password, 
together with a 1-way hash.
When you're provided with 7 chars of the password, add them up, and 
subtract the number (mod 256) from the sum you have in the DB. The 
result is the missing char. Now put that char in place, and you have 
reconstructed the (candidate) password. Use the same 1-way function, 
and compare to the hash you have in the DB.

Of course, this decreases the effective space for the password brute 
forcing by 1 byte.

You can also use XOR instead of mod 256 addition. 

I *think* this can be extended to choosing N out of 8 chars, but I'll 
have to think about it. I know that it can be extended easily in one 
way, but it requires runtime (not DB space though).

-Amit
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: GMail blocking "executable" attachments, Wilfried Schobeiri
Next by Date:  RE: webapp dependencies, Scovetta, Michael V
Previous by Thread:  Re: random character checking at logon, Tim
Next by Thread:  Re: phpBB Ban, Ole Martin Eide
Indexes:  [Date] [Thread] [Top] [All Lists]