Previously Peter van Dijk wrote:
crypt() passwords are never more than 8 characters - anything beyond
8 characters is discarded.
That highly depends on the crypt implementation. The original crypt
only used 8 characters, but modern implementations can use different
schemes (md5 for example).
Aside from using rand, which ain't worth much, perhaps it would
be better to actually supply 64 chars for what's supposed to be
a 64-byte array. You might even copy the real base64 encoding
array, which is (A..Z,a..z,0..9,+,/).
Barney Wolff
On Fri, Jun 08, 2001 at 04:27:36PM -0700, Tyler Walden
Once upon a time, Peter Ajamian [EMAIL PROTECTED] said:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While the
This is not new; I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 8 Jun 2001, Peter Ajamian wrote:
Do not use the Crypt-PW authentication-scheme. Instead use the MAIL_FROM
or PGP scheme instead.
Neither of these are very good options either. The problems with MAIL-FROM
are the obvious flaws you find in
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While the
password is
On Fri, 08 Jun 2001 00:37:34 -0700 Peter Ajamian [EMAIL PROTECTED]
wrote.
Problem:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While
On Fri, Jun 08, 2001 at 12:37:34AM -0700, Peter Ajamian wrote:
[snip]
computer. A new 1ghz computer could easily crank out 6 char passwords in
mere seconds, 8 char passwords in a few hours, and a 10 char password
probably in a week to a month or better.
crypt() passwords are never more than
For those interested here is perl program to generate Crypt-PW's with a
propper salt.
#!/usr/bin/perl
$salt=salt();
print password encryptee, [CTRL]-D quits.\n;
while (STDIN) {
chop;
$text=crypt($_,$salt);
print $text.\n;
}
sub salt {
local($salt);
local($i, $rand);
local(@itoa64) = ( 0
Peter W wrote:
Plus when you submit a change request template, your email contains the
plaintext password. :-(
Changing your password means sending the cleartext value to NetSol via
email. So changing your password involves risk. :-(
In my recent experience, the unencrypted password is
Problem:
While crypt password authentication is not in and of itself very secure,
Network Sulotions have made it even less so by including the first two
characters of the password as the salt of the encrypted form. While the
password is transmitted via a secure session, the encrypted form is
This is a very old problem. See
http://www.securityfocus.com/archive/1/5494 (1996)
http://www.securityfocus.com/archive/1/34191 (1999)
NSI obviously does not care much about the security. I haven't been
able to get PGP authentication working in months.
--
Elias Levy
SecurityFocus.com
11 matches
Mail list logo
