Hi dear list,
wac a écrit :
>
>
> On 1/5/07, [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>*
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote:
>
> On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> > This isn't a password disclosure, it's a leak of password
> information.
> >
> > It's a password hash, you super hacker.
>
>
> yes that's correct but don't forget that hashes can collide
>
> it could be the case that:
>
can ? could ? might ? Do you have any mathematical prouve or are you
just guessing ?
> xhash("$Up3$tr0n9 # [EMAIL PROTECTED]") == xhash("1234") and you don't even
> need the original strong one ;)
>
what hashing algorithm is being use ? Is a collision realistic ? How
much time would it take to actually break a given hash ?
> so strong password is not a countermesure to that
>
> I beleive that is a BIG security hole
>
At least, the hash was probably not meant to be leaked ;)
Now, if you don't answer the above questions by "can", "weak", "very",
"< 1 day or so", hence, the word "BIG" is a bit exagereted imho...
Regards,
endrazine-
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
