[gentoo-user] Grub md5crypt broken
I started having problems with my boot password not too long after I changed it and I stumbled upon something altogether weird. The following is a copy of what grub is giving me for an md5 hash: -- grub md5crypt Password: Encrypted: $1$vhwK6$dV.xpYBymjq7.cZVnFZYe0 grub md5crypt Password: Encrypted: $1$miwK6$BKU11//PyeKMxtgiCbEeZ0 grub md5crypt Password: Encrypted: $1$njwK6$3KqXwDtPqGm6cBGQgSl2.0 grub md5crypt Password: Encrypted: $1$YkwK6$QCQguFhrGofbJXYnA62J91 grub -- Now, keep in mind that the word I'm typing is 'test'. No capitalization, no spaces, no nonsense. And yet the hashes md5crypt returns are all different. Now, that's no good if you ask me. Is anyone else experiencing the same issue? Thanks. -- Dan Cowsill http://www.danthehat.net -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Grub md5crypt broken
On 8/21/07, Dan Cowsill [EMAIL PROTECTED] wrote: I started having problems with my boot password not too long after I changed it and I stumbled upon something altogether weird. The following is a copy of what grub is giving me for an md5 hash: -- grub md5crypt Password: Encrypted: $1$vhwK6$dV.xpYBymjq7.cZVnFZYe0 grub md5crypt Password: Encrypted: $1$miwK6$BKU11//PyeKMxtgiCbEeZ0 grub md5crypt Password: Encrypted: $1$njwK6$3KqXwDtPqGm6cBGQgSl2.0 grub md5crypt Password: Encrypted: $1$YkwK6$QCQguFhrGofbJXYnA62J91 grub -- Now, keep in mind that the word I'm typing is 'test'. No capitalization, no spaces, no nonsense. And yet the hashes md5crypt returns are all different. Now, that's no good if you ask me. Is anyone else experiencing the same issue? Yes. But all hashes are works. May be this is not actually md5? -- Vladimir Rusinov GreenMice Solutions: IT-решения на базе Linux http://greenmice.info/
Re: [gentoo-user] Grub md5crypt broken
On 8/20/07, Vladimir Rusinov [EMAIL PROTECTED] wrote: On 8/21/07, Dan Cowsill [EMAIL PROTECTED] wrote: I started having problems with my boot password not too long after I changed it and I stumbled upon something altogether weird. The following is a copy of what grub is giving me for an md5 hash: -- grub md5crypt Password: Encrypted: $1$vhwK6$dV.xpYBymjq7.cZVnFZYe0 grub md5crypt Password: Encrypted: $1$miwK6$BKU11//PyeKMxtgiCbEeZ0 grub md5crypt Password: Encrypted: $1$njwK6$3KqXwDtPqGm6cBGQgSl2.0 grub md5crypt Password: Encrypted: $1$YkwK6$QCQguFhrGofbJXYnA62J91 grub -- Now, keep in mind that the word I'm typing is 'test'. No capitalization, no spaces, no nonsense. And yet the hashes md5crypt returns are all different. Now, that's no good if you ask me. Is anyone else experiencing the same issue? Yes. But all hashes are works. May be this is not actually md5? -- Vladimir Rusinov GreenMice Solutions: IT-решения на базе Linux http://greenmice.info/ A possibility, but the point of hashing a password is that the hash will be the same each time, allowing one to compare a user submitted password to a securely stored one. -- Dan Cowsill http://www.danthehat.net
Re: [gentoo-user] Grub md5crypt broken
On 8/20/07, Dan Cowsill [EMAIL PROTECTED] wrote: I started having problems with my boot password not too long after I changed it and I stumbled upon something altogether weird. The following is a copy of what grub is giving me for an md5 hash: -- grub md5crypt Password: Encrypted: $1$vhwK6$dV.xpYBymjq7.cZVnFZYe0 grub md5crypt Password: Encrypted: $1$miwK6$BKU11//PyeKMxtgiCbEeZ0 grub md5crypt Password: Encrypted: $1$njwK6$3KqXwDtPqGm6cBGQgSl2.0 grub md5crypt Password: Encrypted: $1$YkwK6$QCQguFhrGofbJXYnA62J91 grub -- Now, keep in mind that the word I'm typing is 'test'. No capitalization, no spaces, no nonsense. And yet the hashes md5crypt returns are all different. Now, that's no good if you ask me. These are all password-recognizers, not md5 hash strings (ok, they are in part). The $1$ identifies a salt lead-in, the next part is the salt for your password (generated randomly) up to the next $, then the hash of your password + salt (to the end of the string). Given the secret salt, Grub (or anything else using this method) can combine it with the candidate password and check the hash. But since the salt is random you get a different hash every time. This behavior is desirable in case you have two or more password recognizers in the same config file (or in files accessable to the same untrusted reader). It prevents identical passwords from being detected (as you demonstrated) by reading the recognizer strings. So no, not broken, just not what you expected. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] Grub md5crypt broken
On 8/20/07, Don Jerman [EMAIL PROTECTED] wrote: On 8/20/07, Dan Cowsill [EMAIL PROTECTED] wrote: I started having problems with my boot password not too long after I changed it and I stumbled upon something altogether weird. The following is a copy of what grub is giving me for an md5 hash: -- grub md5crypt Password: Encrypted: $1$vhwK6$dV.xpYBymjq7.cZVnFZYe0 grub md5crypt Password: Encrypted: $1$miwK6$BKU11//PyeKMxtgiCbEeZ0 grub md5crypt Password: Encrypted: $1$njwK6$3KqXwDtPqGm6cBGQgSl2.0 grub md5crypt Password: Encrypted: $1$YkwK6$QCQguFhrGofbJXYnA62J91 grub -- Now, keep in mind that the word I'm typing is 'test'. No capitalization, no spaces, no nonsense. And yet the hashes md5crypt returns are all different. Now, that's no good if you ask me. These are all password-recognizers, not md5 hash strings (ok, they are in part). The $1$ identifies a salt lead-in, the next part is the salt for your password (generated randomly) up to the next $, then the hash of your password + salt (to the end of the string). Given the secret salt, Grub (or anything else using this method) can combine it with the candidate password and check the hash. But since the salt is random you get a different hash every time. This behavior is desirable in case you have two or more password recognizers in the same config file (or in files accessable to the same untrusted reader). It prevents identical passwords from being detected (as you demonstrated) by reading the recognizer strings. So no, not broken, just not what you expected. -- [EMAIL PROTECTED] mailing list Right, not what I expected to be sure. I would like to know how they did that, though! Thanks for enlightening me, Dan -- Dan Cowsill http://www.danthehat.net -- [EMAIL PROTECTED] mailing list