On Fri, September 14, 2007 5:30, steve miller said: > I have a client who wants me to use the usernames/passwords in an > existing database as the authentication for a new web application (so > that he doesn't have to make users enter the info into 2 places). The > problem is that the passwords in the existing database are encrypted, > and since I don't know how they were encrypted, I can't figure out > how to write a compare method. > > Looks like some kind of byte codes; when we enter new passwords, here > are some examples of how they are saved: > a == 0xFB > b == 0xFC > aaa = 0xFBFFF9 > q == 0x0C > > Can anyone start me in the right direction to try to figure out how > it's being done? > > Thank you for any ideas, > steve >
Steve, Before you attempt this, you should be aware that attempting to break the encrypted information stored in this database may be illegal. Especially since it's password information. You may want to talk with your corporate legal department. You may also, if possible, want to talk to the software company that wrote the first application and see if you can leverage published APIs to use their algorithms for using the information. That said, analyzing the existing passwords will be the only solution. Creating new accounts may help. First create two accounts (one is username 'aa' and one that is 'ab') that have the same password and verify that both passwords are the same. If the passwords ARE identical, then they are using a straight Caesar cipher (or some variant) (http://en.wikipedia.org/wiki/Caesar_cipher). If the encrypted passwords are different, this will become much harder. I will assume that the encrypted passwords are the same. Using the same accounts, change one password by changing the first letter of one account to an Uppercase letter (if it was lowercase to begin with, otherwise change it to uppercase). Compare again. Now change the first character to a number and compare again. This will all help determine the range of available characters and how the algorithm changes them. You'll have to do more testing, but in short, through pattern analysis you should be able to develop an algorithm that does the actual encryption. This brute force attack could be a lot of work (possibly up to 50-100 hours depending on the complexity of the algorithm if it's a good one). Good Luck Tim -- Timothy J. Bruce Registered Linux User #325725 ____ The WDVL Discussion List from WDVL.COM ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or use the web interface http://e-newsletters.internet.com/discussionlists.html/ Send Your Posts To: [email protected] To change subscription settings, add a password or view the web interface: http://intm-dl.sparklist.com/read/?forum=wdvltalk ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: unknown lmsubst tag argument: '' To unsubscribe send a blank email to [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
