Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BLU0-SMTP4485C5B7B29E09FAB49B44FDFC0@phx.gbl>
Date: Fri, 22 Jun 2012 10:19:16 +0200
From: Frank Dittrich <frank_dittrich@...mail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Re: EPiServer format fails on 32-bit builds.

On 06/22/2012 10:03 AM, Dhiru Kholia wrote:
> 18 is the upper bound. I will fix my source to use this upper bound.

18 is the upper bound only if the base64 encoded salt is not longer than
24 characters.
Since valid() doesn't verify this, if is still possible to break this
format.
I am, however, not sure if valid() should reject hashes if the base64
encoded salt is longer than 24 characters, or if the format should be
able to handle a larger salt size (and if so, which one).

Googling for "aspnet_membership passwordformat" I found this link:

http://msdn.microsoft.com/en-us/library/aa478949.aspx

Not sure if this also applies to episerver.
But

PasswordSalt
nvarchar(128)
Randomly generated 128-bit value used to salt password hashes; stored in
base-64-encoded form

generates more confusion than it clarifies anything.
128 characters, bytes, or bits?
Before or after base64 encoding?
No idea.

Frank

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.