Michael:
My comment should have been taken as, I did not know that you could hash a string based upon a certain input value (the -d in the command line). This provides a constant so that the md5 hash will not change over time. The usage of this program to validate/invalidate a password is very good. This insures that a user does not constantly reuse the same password (or the same password in the last number of interations) without having to store the older passwords in a cleartext field, leaving the password subject to possible compromise.
I've only used the md5 program to verify the contents of a file against a known hash value. Yes, there are those that will add advertisements to a file provided by another. This definitely messes up the use of the md5 'hash' as a file validator.
Also, thank you for the link for information provided for the usage of the md5 program.
James McKenzie
-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Michiel Beijen
Sent: Monday, July 10, 2006 8:22 AM
To: [email protected]
Subject: Re: BFS Strong Password 2.5.1 - Errors when setting up software
You can use md5 to create a hash of a file or a string. The principle is the same. In this case a hash of the password is created and stored. If the user resets his password a hash of the password is created and compared against earlier hashes to see if he has already used this password. The benefit of md5 is of course that its a one-way-hash mechanism, i.e. if you have the hash you will not be able to tell what the password was, so it is considered safe.
For the options for md5, check man md5
http://seth.positivism.org/man.cgi/md5
Regards,
Michiel
On 7/10/06, McKenzie, James J C-E LCMC HQISEC/L3 <[EMAIL PROTECTED]> wrote:
> **
>
>
> Axton:
>
> Since my knowledge of using md5 to create the hash is limited, is this
> the correct command line to do so?
>
> I have always used md5 too 'unhash' a file to insure its contents are
> untampered.
>
>
> James McKenzie
>
>
> -----Original Message-----
> From: Action Request System discussion list(ARSList)
> [mailto:[email protected]] On Behalf Of Axton Grams
> Sent: Friday, July 07, 2006 3:31 PM
> To: [email protected]
> Subject: Re: BFS Strong Password 2.5.1 - Errors when setting up
> software
>
>
> http://www.fourmilab.ch/md5/
> http://www.vonwangelin.com/md5/
> http://ourworld.compuserve.com/homepages/pagrosse/hash.htm
>
> Take your pick. Just put the executable/dll's into the arsystem directory.
>
> Axton Grams
>
> Kim Moody wrote:
> > James,
> >
> > I have installed this application on our development box and also
> > have has an issue with the MD5. According to the doc the MD5
> > "creates a one way hash of the proposed new password, and then
> > workflow compares the hash against previously created hashes."
> >
> > I ran a filter log and captured the following information:
> >
> > /* Tue Apr 04 2006 15:42:24.9575 */Start filter processing --
> >>> Operation
> >> - CREATE
> >>> BFS:USR_History - <NULL>
> >>> Checking BFS:USRHIS_SetEncryptedPWD01 (500)
> >>> --> Passed -- perform actions
> >>> 0: Set Fields
> >>> "C:\Program Files\AR System\md5.exe" -d"abcdefg!"
> >>> Exit code: 1 Value: **** Error while performing
> >>> filter action
> >>> /* Tue Apr 04 2006 15:42:24.9759 */ End of filter processing
> >> (phase 1)
> >
> > The only way I could get it to work is not using the password
> > hashing/encryption. So the passwords in the password history are
> > not encrypted.
> >
> > I emailed the developer about the issue in April and have not heard
> > back yet.
> >
> > Hope that helps,
> >
> > Kim Moody
> > University of Houston
> >
> >
> ______________________________________________________________________
> > _________ UNSUBSCRIBE or access ARSlist Archives at
> > http://www.wwrug.org
> >
>
> ______________________________________________________________________
> _________ UNSUBSCRIBE or access ARSlist Archives at
> http://www.wwrug.org
>
> __20060125_______________________This posting was submitted with HTML
> in it___
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
