WebApp Sec mailing list archives
RE: Securing encrypted data in RAM vs MSSQL
From: Dean Saxe <Dean.Saxe () DigitalInsight com>
Date: Thu, 1 Jul 2004 13:34:33 -0400
Shouldn't a salt value added to the plaintext before hashing effectively make this kind of a dictionary attack much more difficult, if not impossible, to perform since you would have to recover the salt and plaintext? -dhs -----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: Thursday, July 01, 2004 1:19 PM To: Toro, Daniel; Stan Guzik; Dave Andrews; webappsec () securityfocus com; forensics () securityfocus com Subject: RE: Securing encrypted data in RAM vs MSSQL Well, there is always a way to recover the real password or login from a hash...the matter's is the time it will take! The method to "dehash" a hash is quite simple: as theorically a hash_1 can be produced by a single pass_1/login_1/..., we can create a huge amount of random pass_2/logins_2/..., hash them with MD5/SHA-1/... and then compare each of them with our hash_1. ASA the two hashes are the same, we can pick up the pass/login/... which produced hash_2. Quite simple but really long to perform. BTW, Cain & Abel, John the Ripper and Crack can perform such recoveries... :)
Current thread:
- Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL George Capehart (Jul 01)
- <Possible follow-ups>
- RE: Securing encrypted data in RAM vs MSSQL Stan Guzik (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL Toro, Daniel (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Yvan Boily (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL exon (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 02)