|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Neoboard 3.0 insecurely creates passwords
From: Signal 11 (signal11
MEDIAONE.NET)Date: Mon Aug 14 2000 - 14:05:05 CDT
- Next message: Daniel Docekal: "Something to URGE for Windows NT/2000 administrators"
- Previous message: Hiroaki Etoh: "Re: machine independent protection from stack-smashing attack"
- In reply to: Jonathan Leto: "Neoboard 3.0 insecurely creates passwords"
- Reply: Signal 11: "Re: Neoboard 3.0 insecurely creates passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> All passwords are generated with a salt of ".v" . This isn't a
> huge security hole, but if someone gets to the hashes in your
> database, it will be a lot easier to crack them.
This is particularily objectionable because PHP will happily
generate a random salt by simply omitting one. The only reason
one should specify a salt is when encrypting a password to
compare it to the one in the database. Just extract the first
two letters from the string and pass that to the crypt function -
you can do all of it on one line. :/
~ Signal 11
- Next message: Daniel Docekal: "Something to URGE for Windows NT/2000 administrators"
- Previous message: Hiroaki Etoh: "Re: machine independent protection from stack-smashing attack"
- In reply to: Jonathan Leto: "Neoboard 3.0 insecurely creates passwords"
- Reply: Signal 11: "Re: Neoboard 3.0 insecurely creates passwords"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]