| Subject | Re: [IB-Architect] Security holes... |
|---|---|
| Author | Jan Mikkelsen |
| Post date | 2000-04-03T01:51:07Z |
Doug Chamberlin wrote:
I did some quick experiements with isc4.gdb, and then did a quick search at
Mers (which is a very useful site), and found that the algorithm in use is
Unix crypt(3) with a constant(!) salt.
Pick your favourite password cracker and tell it the salt, or have a table
of encrypted dictionary word permutations and just do a lookup. Reusable
for every user and password because the salt is constant.
Jan Mikkelsen
janm@...
>At 4/2/00 07:16 PM (Sunday), Jan Mikkelsen wrote:Great, I hadn't checked the line protocol in any way.
>>I assume passwords are transmitted over the wire in the clear, so they
>>could also be sniffed
>>avoiding the whole "get a copy of isc4.gdb" thing.
>
>Of course, they are not! Only the encrypted form is sent.
I did some quick experiements with isc4.gdb, and then did a quick search at
Mers (which is a very useful site), and found that the algorithm in use is
Unix crypt(3) with a constant(!) salt.
Pick your favourite password cracker and tell it the salt, or have a table
of encrypted dictionary word permutations and just do a lookup. Reusable
for every user and password because the salt is constant.
Jan Mikkelsen
janm@...