> From: openmailadmin@googlegroups.com > [mailto:openmailad...@googlegroups.com] On Behalf Of Lars Düsing > > You have a massive security flaw in your implementation of crpyt: > > in file inc/lib/PasswordCrypt.php: > > return crypt($plaintext, substr($plaintext,0,2)); > > > You use the first two characters of the plain password as salt. > Not very clever, isn't it? [...] > > Please correct the file immediately, and inform all users to change the > passwords at once.
Thank you for your review. What you named a security flaw is none. This is due to the nature of crypt(): It does only hash the password, thus you cannot guess from the hash which password has been used. The salt has to be chosen that way to be compatible with WebCyradm's passwords, and pam_crypt.so and others. Although you can create rainbow tables (*) more easier knowing the salt, salting the "PHP"-way won't add another line of defense. Indeed, not very few systems still use plaintext for password storage (IMHO, a bad idea) to enable "DIGEST" authentication by SMTP/POP3/IMAP... After all, you will still have to crack into the database to utilize weak cryptography. Finally, OMA's default is requiring passwords between eight and 16 characters (*) and MD5 hashes are the default and you have the option for SHA1. So, no false panic please. -- Mark --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Openmailadmin" group. To post to this group, send email to openmailadmin@googlegroups.com To unsubscribe from this group, send email to openmailadmin+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.de/group/openmailadmin?hl=en -~----------~----~----~----~------~----~------~--~---
