Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Validating if password is encoded or encrypted
From: Maksim.Filenko () fuib com
Date: Mon, 12 Sep 2011 17:37:23 +0300

Hey Karen,

It is possible for passwords to be encrypted (i.e. with AES) and then 
encoded with Base64 before storing it in DB.

What do you get after decoding those Base64 strings? Binary data?

wbr,
 - Max

Hi Everyone,  I'm currently reviewing an app prior to launching to our
prod. One of our security requirements is for the password to be
encrypted.
When i checked the password field in db, i noticed that all passwords
are ending with a double equal sign e.g "==".
I am under the impression that they are just base64 encoded rather
than encrypted. However, i tried decoding it using base64 but i'm not
getting a valid data.

Am i right in saying that the password is encoded? If yes with what 
e.g. base64?
How can i prove or show them that this the password is just encoded
rather than encrypted?
Or is it encrypted?

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]