- old school security

Fred Cisin cisin at xenosoft.com
Wed Apr 25 19:00:22 CDT 2007


On Wed, 25 Apr 2007, der Mouse wrote:
> By definition, if you can do better than brute force, you need a better
> hash algorithm.

Surprisingly, I've had students who had been taught that ALL one-way
functions are completely and totally uncrackable.


> > It will most likely be a nonsense string of characters, rather than
> > the name of the user's canary, but it will work.
>
> Not necessarily; for example, if it contains NL or NUL characters, it
> will not work as a Unix password, even if it does produce the correct
> hash when shoved through the algorithm.

Your brute force algorithm should be limited to keyboardable characters
that are accepted by that OS.


> Security through obscurity?  Doesn't work.  Certainly not in a case
> like this, where implementations of the algorithm are, perforce,
> widespread.
certainly not for long!  I should have punctuated that in a manner that
would imply sarcasm.

> > and access to the hashcodes for accounts shuld be limited.
> That helps, a little, but it's a belt-and-suspenders measure.

In terms of entry, it makes no difference.  But it is helpful if there is
alternate access to the drive (booting with another OS or reading sectors
elsewhere), and it helps to avoid unauthorized rights amplification.

--
Grumpy Ol' Fred     		cisin at xenosoft.com



More information about the cctech mailing list