On Fri, 12 Aug 2011 08:45:30 +0200, Le_Forgeron wrote:

> Are you aware that some current glibc2 version of crypt can move away
> from the traditional one way function (DES) with a salt of 2 chars to
> use an alternative hashing algorithm (MD5/blowfish/sha-256/sha-512) with
> a salt in [a-zA-Z0-9./] of 16 chars (instead of 2).
> 
> There is also a pitfall: only SHA-* take into account the whole password
> (MD5 stops at 8 chars, as does classical DES).
> 
> So, yes, "correct horse battery stapple" is a strong password on a
> recent system which use sha.
> But it is damn weak on an old system, where it get truncated to "correct
> ". (dictionnary attack, word +space, an easy rule)
> 
> The extended salt of MD5 is better against the rainbow book (DES rainbow
> book are very short with only 2 chars of salt), but it is still
> vulnerable to "correct " discovery.

I wasn't aware of the glibc2 issue - but I was aware of how passwords can 
be truncated.  I ran into an issue years ago with a 20-character password 
I used to use on Windows (XP, I think it was, or maybe Win2K).  The 
password routines on that version of Windows would trucate the password 
to 14 characters (IIRC) and generate a hash when setting the password, 
but then would generate the hash with the full password length when 
verifying the password.

End result was that if you set a password to > 14 characters, Windows 
would silently do it and not tell you it was truncating it, and then if 
you tried to login with the full password, a different hash would be 
generated and you wouldn't be able to log in.

ISTR that, even worse, something in the algorithm meant you couldn't just 
enter the first 14 characters of the password and get in - almost as if 
the salt value was based on the original length or something like that.  
Basically, you'd have to hack your way in, login as administrator and 
change the password, or rebuild the system (depending on the 
authentication model).

Kinda nasty.

Jim

Post a reply to this message