Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Google Desktop Search
From: mike () ampeisch com
Date: Sat, 16 Oct 2004 20:24:53 -0400 (EDT)

Not necessarily -- that's what "salt" characters are for in crypto. Check
out "Applied Cryptography".  The added value is that if you have the plain
text password, you have the password, if you have the hash, you still have
to crack it, or BF it.  MD5sum is one of the methods that Unix/Linux use
for OS password storage.  What Yahoo is doing isn't perfect, but it's a
damn site better than pointless.


What is the added benefit of sending MD5 hashes instead of plain-text
passwords? I mean, the MD5 hash will be the same for the same password,
isn't it?

I hope that Yahoo has implemented something more complicated that that,
otherwise it is plain pointless.

-- rem.

mike () ampeisch com wrote:
 Read the javascript in the headers of Yahoo's login page:

<-- Begin javascript comments from Yahoo -->
 * A JavaScript implementation of the RSA Data Security, Inc. MD5
 * Digest Algorithm, as defined in RFC 1321.
 * Copyright (C) Paul Johnston 1999 - 2000.
 * Updated by Greg Holt 2000 - 2001.
 * See http://pajhome.org.uk/site/legal.html for details.

<-- End Javascript comments from Yahoo -->

THEY don't even cache, or pass, your password. Like all secure programs,
they store, and transmit, an MD5 Sum.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]