|
Quote:
This problem only concerns the crypt function, using another form of encryption is a differrent story. I brought this up because plenty of programs do use the crypt method to put passwords in to htpasswd file and they should switch to a direct htaccess creation like you. I assume your site is working, I didn't get to try it. Anyway enough of this I got other stuff to do. But it was interesting for me to actually see how bad crypt() could be with a bad password. |
Quote:
Yes, the 8-chra limit for some OSs has been shown, but so fucking what? First you started out saying the salt added to the passwd, which was shot down sinc enoone uses standard salt. Then you said noone understands. Then you asked for a proof-of-concept 3char passwd to crack. Then you said you've had enough and you're off to bed????? Ehm, :error Thankfully, nobody hires you to programme for them. |
Yep, you're on crack :thumbsup
|
Quote:
Well, you're right! The limit is 8 chars. I only got into the salt debate because someone posted that the problem could be fixed with random salt. The only fix is to limit passwords to 8 chars or use something other than crypt() Well, at least I discovered some really smart people in this post which made it all worth my time. Thanks for all the replies and "battles" hehehe! |
Quote:
|
Quote:
Nope, I still don't get you. You were the one that went on and on about the salt and how it is the first two letters of the password. Then you said your janesmith123 janesmith321 whatever encrypted passwords were all the same. Well, for me they're not. Then you said Quote:
Where the hell did you find that bullshit text to copy and paste from? |
Quote:
The truth. Now crack it. All of 3chars. You said you'd do it in one try. |
From Netcrafts homepage as of today
Four of the 10 most reliable hosters run their sites on FreeBSD, while two use Linux, and Windows Server 2003, Windows 2000 and Solaris 8 all make one appearance. Let me guess where you fall? |
Quote:
If you've been around for a while you probably already bought one of my scripts...so pop that non-sense. Nobody put up a link that had a 9 digit password encrypted with crypt()! And it wasn't me who went off on a tangent about salt. The only reason I brought up salt was to show how crypt made a password. I said over and over again that salt was NOT the problem; yet you sound as though you think crypt() can be fixed by not using standard salt; and if that's what you still think then you didn't understand the problem. The fix is to use a short password less than 9 characters. Forget about salt. But anyway thanks for posting some good stuff. |
Nope, it was you who kept harping on about salt in your original post. Now you're changing your stance to "any 9char passwd"
Well, I aint saying anything until you crack my piss easy 3char passd. Again, just to quote you: Quote:
I'm off to bed. You have until the morning to crack it. Hopefully this thread will now die as it should do, kneejerker. |
and I have never bought a script in my life,so I doubt it!
I programme low level code. I can back-end script with my eyes closed, so why would I need to buy shitty htaccess perl scripts from you? |
Hat's off to you. Quality post 4 sure!
|
Well, I never said it was hard....:helpme
|
Quote:
I did it with pencil and paper :pimp |
borked - whats your contact info - email
|
Quote:
Like I said; I only need one guess for a 3 char encrypted password. Go here and create passwords or use crypt($passwd, $salt). http://www.htaccesstools.com/htpasswd-generator/ Run script: #!/usr/bin/perl print "Content-type: text/html\n\n"; $alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ"; @one = split(//, $alphadata); @two = @one; @three = @one; $passencrypted = "QVK7qHfRnSw3M"; $salt = substr($passencrypted, 0, 2); print "salt = $salt<br>"; $a = 0; foreach (@one) { if ($a >= 80) { print "abort<br>"; exit; } $b=0; foreach(@two) { $c = 0; foreach (@three) { $pw = "$one[$a]$two[$b]$three[$c]"; $check = crypt($pw, $salt); if ($check eq $passencrypted) { print "$pw - is a possible password<br>"; } $c++; } $b++; } $a++; } print "Ended OK"; exit; :1orglaugh :1orglaugh :1orglaugh So much for encryption! |
PS: That little hack I just wrote for you assumes passwords without special characters...I could easily add all special charaters to the alphadata string.
And, I could do the full eight charaters but not on MY SERVER! Too much resources. |
Wow, you code like you draw dude! :thumbsup
|
I didn't really go into it but I think I get what you are saying - basically people are using the password as salt and they should use a random salt?
generally i think people are a bit stupid about security in this industry |
Quote:
BRUUUUUUUUUUHAHAHAHAHAHAHAHAHAHAHAHAHA!! HAHHAHAHAHAHAHAHAH!!! *sigh* Theres no know way...hehehehe! Unless you can write 20 lines of FUCKING CODE!!! BRUUUUUUUUUUHAHAHAHAHAHHAHAHAHAHA! Lets see; please count these lines: $alphadata = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLM NOPQRSTUVWXYZ"; @one = split(//, $alphadata); @two = @one; @three = @one; $passencrypted = "QVK7qHfRnSw3M"; $salt = substr($passencrypted, 0, 2); print "salt = $salt<br>"; $a = 0; foreach (@one) { $b=0; foreach(@two) { $c = 0; foreach (@three) { $pw = "$one[$a]$two[$b]$three[$c]"; $check = crypt($pw, $salt); if ($check eq $passencrypted) {print "$pw - is a possible password<br>";} $c++;} $b++;} $a++;} print "Ended OK"; hehehehehe....hohohohoh....HAHAHAHAHAHAHA! *sigh* |
Where my dogs at?
|
perl is sooooo 80's :winkwink:
|
this thread makes me giggle. :helpme
|
Quote:
|
Or use a salt like: $1$<8 random chars>
Then you'll get an MD5 encrypted password, which is much better than crypt. Don't ever use the password as the salt value, it has to be random chars. |
Quote:
No matter how much "new" shit comes out I have yet to find something that could not be done in perl already. ASP = SSI with perl cgi Java = Object oriented perl (Java does come with easy tools though) PHP = If you can't learn perl C, C++ = Perl without the cool shit for text munipulation ...etc... I think the reason webmasters sought solutions other than perl is that they didn't have good knowlege of libwww libwww contains tons of modules that allow perl to do, well, MAGIC! Any new thing done on the internet can be programed into a perl module and added to libwww. The modules can be written in differrent languages also, with C++ being one of the most used. Libwww allows perl to grow as a language without actually changing perl. This is not true with most of the "new stuff". If development of libwww continues in a positive direction then I suspect that in the future webmasters will migrate back to it as they will find that they can learn 5 new languages to get the project done or they can just use perl with all it's libraries. The only draw back I see for perl is client-side applications. The client has to make an http request for perl. But Javascript can handle a lot of that and SSI can use perl to deterime what javascript to send the client. |
Quote:
|
Quote:
That's not 'unecrypting', that's cracking. If someone can read your crypted passwords, you have bigger problems than an 8 character limit. |
whats this thread about ?
8chr crypt passwords had been crackable since ages |
Quote:
All your server admins for your hosted sites can read your surfers encrypted passwords. When one of the above gets fired and decides to fuck up all you member/customer accounts, you will then understand why I brought this issue up. That's the only reason they are encrypted. The hackers and surfers have to "break in" to read these files so like you said, if they can read the files you have bigger problems. But that's not the issue. The issue is that there is a beliefe that the crypt files can not be used to return the original password. I have shown this to be a myth. PS: "unencrypting" is a subset of "cracking".:) |
Quote:
darksoul-logic = "Don't tell me about cigarettes causing cancer; that was discovered years ago...(begins to chain smoke)". |
Quote:
I'm already aware of the issue so I don't need to hear your preaching about. See my point ? Everyone knows about it, move along. |
Jesus christ what fucking shitstorm did i walk into.
|
Quote:
BTW: There is no such thing as a encrytped password created by a known/accesible function that cannot be unencrypted! There are only passwords that require too much processing to be worth anyone's time(except russians spys). For example the 8char password could take up to 6,095,689,385,410,816 iterations of a subroutine to unencrypt. And that would requires a dedicated computer that could run for anywhere to 2 months to 2 years before giving the result. Thus the requirement of many secure sites that you change your password every 90 days. By the time the computer has figured out your encrytped password you have already changed it to something else. |
Quote:
|
Quote:
http://www.antsight.com/zsl/rainbowcrack/ you can STFU now |
Quote:
I said "up to" as in, the worst case scenario would require that much processing. You must be one of those dudes who reads the want ad saying "earn up to $50,000" and you're stupid enough to think that's what YOU will make. |
Quote:
You should read the shit you post before posting it Quote:
Everything's faster when it's already done before you fucking start. |
Quote:
Quote:
|
Here we go again:boid
The easy crack of DES is all assuming you have access to the encrypted password file to compare. If you don't, then you have to hope to god the site to hack doesn't enforce some limit on the number of tries. And then after your 65 billion guesses, you get in. To where, an adult pay site to see some booteeee. :helpme May have been easier to just pay the 1-month fee. How many sites use htaccess to give free run of the server? |
Quote:
haha, so you finnaly read what a rainbow table is :) |
Quote:
|
Quote:
you said between 2 months and 2 years using rainbow tables with take a few minutes and nowhere near 2 months. make up your mind |
Quote:
|
Quote:
|
Quote:
I had said that a 3char encrypted (using crypt() )password was bad and could be cracked in no time by someone who saw the encrypted password(like a employee of the site). That's all I said. The you go off into space and make a big deal about it. Did you run the last fucking code I posted? Go ahead and try your 3char encryption in my code and it will undo that shit in less than 3 secs! |
y'all need to find jesus.
|
Quote:
|
Quote:
thats the reason this thread is useless :) |
anyway, I said random salts.
rainbow tables are lookup tables. No good if the salt is random - the encrypted pass will change each time |
| All times are GMT -7. The time now is 07:12 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123