Tell you what. See how long it takes you to brute force this hash. Post the cleartext when you get it.
6AF59B04BA48B18C15E3CB3ACB2BA75B I want to see how long it takes you. On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > The passwords in windows are stored as hashes. They are not stored as > plaintext. In order to get the password, you would need to brute force the > hash. > > Cracking windows passwords is an old idea with a great set of tools behind > it. We are just using that knowledge to show that you shouldn't store > passwords in cookies, hashed or not. > > As far as I understand it, if you store something as a client variable, > there is no way for hacker to get at it (unless of course he somehow gets > into your database server, in which case all bets are off). But if you > store it as a cookie, it's much more vulnerable to foul play. > > > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 4:14 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > If you are an admin on the machine you could get the passwords even if they > weren't in cookies! If someone ever puts in their password at all outside > of ssl, you can sniff the password. If someone steals the SAM file, what > does it matter where I store the password or how I hash it? > > what does that have to do with cookies vs client variables and the security > impact of the two? > > On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > > Not, really. There are different ways of getting hashes. One is you > > can be an admin on the machine, and you can get the passwords of all the > users. > > Another way is to sniff it going across the network. You can also > > steal the SAM file and get the password that way. The point is, you > > don't always need to have a login on the system (or physical access to > > the machine) to get people's passwords off of it. > > > > -----Original Message----- > > From: Robertson-Ravo, Neil (RX) > > [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, November 29, 2005 3:22 PM > > To: CF-Talk > > Subject: RE: pseudo-memory leak > > > > LOL, isnt that just like saying - I can get into any computer which > > is locked......if you give me the password? > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225632 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
