Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Validating if password is encoded or encrypted
From: "Abe" <abek1 () comcast net>
Date: Sat, 17 Sep 2011 10:05:58 -0700

Most APIs will give you a byte array after Base64 decoding.  Once you have
the byte array you will need to pass that to the string constructor and
specify the character set used on the system where the passwords were
stored.

Usually the passwords will be base64 encoded before being stored in the db
so when you convert the base64 decoded bytes into a string you either want
to do this on the same system that base64 encoded the data using the default
character set or on your system and ensure that the character set on your
system matches that on the system which does the base64 encoding or if they
don't match you will need to specify the character set used to create the
string object from bytes.

Then you can reliable look at the string data to see if it resembles viable
passwords or encrypted characters.

By the way, if you are doing this on live systems then it could be exposing
actual user passwords.

Regards,
Abe

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Maksim.Filenko () fuib com
Sent: Monday, September 12, 2011 7:37 AM
To: Karen Sy
Cc: listbounce () securityfocus com; pen-test () securityfocus com
Subject: RE: Validating if password is encoded or encrypted

Hey Karen,

It is possible for passwords to be encrypted (i.e. with AES) and then 
encoded with Base64 before storing it in DB.

What do you get after decoding those Base64 strings? Binary data?

wbr,
 - Max

Hi Everyone,  I'm currently reviewing an app prior to launching to our
prod. One of our security requirements is for the password to be
encrypted.
When i checked the password field in db, i noticed that all passwords
are ending with a double equal sign e.g "==".
I am under the impression that they are just base64 encoded rather
than encrypted. However, i tried decoding it using base64 but i'm not
getting a valid data.

Am i right in saying that the password is encoded? If yes with what 
e.g. base64?
How can i prove or show them that this the password is just encoded
rather than encrypted?
Or is it encrypted?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]