Author Topic: Matching passwords!  (Read 7316 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Matching passwords!
« on: October 14, 2008, 12:00:45 pm »


I just got that error message from Safeguard Easy (my laptop's encryption). Fortunately, my password only matched my own password, but what if it was somebody else's? It'd be good to know!

I think I need to superimpose "FAIL" on this. :)

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Matching passwords!
« Reply #1 on: October 14, 2008, 12:03:46 pm »
lol, I wonder what genius thought it'd be a good idea to add in that little feature.

Offline Blaze

  • x86
  • Hero Member
  • *****
  • Posts: 7136
  • Canadian
    • View Profile
    • Maide
Re: Matching passwords!
« Reply #2 on: October 14, 2008, 12:05:45 pm »
Well, that is the admin program, is it not?  It might be good to know that you're not setting everyone to have the same passwords..
And like a fool I believed myself, and thought I was somebody else...

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Matching passwords!
« Reply #3 on: October 14, 2008, 02:15:36 pm »
Well, that is the admin program, is it not?  It might be good to know that you're not setting everyone to have the same passwords..
It lets you administrate your own account, though (I'm logged in as 'user', not as 'administrator')

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Matching passwords!
« Reply #4 on: October 14, 2008, 02:17:11 pm »
Someone else is using SGE1188? That is fail.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Matching passwords!
« Reply #5 on: October 14, 2008, 02:18:41 pm »
Someone else is using SGE1188? That is fail.
Yes, because I naturally pick a password that matches the name of the software (SGE = Safeguard Easy) :P

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Matching passwords!
« Reply #6 on: October 14, 2008, 02:20:41 pm »
Well that would make it easier to remember! :D

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Matching passwords!
« Reply #7 on: October 14, 2008, 02:23:57 pm »
*changes forum password to something besides 'x86forum'*

I should check if anybody is using that for their password. :D

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Matching passwords!
« Reply #8 on: October 18, 2008, 05:46:53 pm »
Unsalted crypto: fail.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Matching passwords!
« Reply #9 on: October 18, 2008, 07:45:03 pm »

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Matching passwords!
« Reply #10 on: October 23, 2008, 04:45:06 pm »
The fact that it knows the passwords match mean one of: there is no hash, the hash is not salted, or the salts are the same.

The first and third seem pretty unlikely, so I'm assuming that the hash is unsalted -> fail.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Matching passwords!
« Reply #11 on: October 23, 2008, 10:02:44 pm »
The fact that it knows the passwords match mean one of: there is no hash, the hash is not salted, or the salts are the same.

The first and third seem pretty unlikely, so I'm assuming that the hash is unsalted -> fail.
Err, no?

When you salt a password, they're stored together. For example, Linux passwords are storedl ike this:
ron:$1$C8i1C6/t$d.SI5o5dcBuLh5rF2DMU90:14153:0:99999:7:::

The first part ("C8i1C6/t") is the sale, and the second part ("d.SI5o5dcBuLh5rF2DMU90") is the hash. You can easily verify whether or not a password matches that salt. If you can't verify that an arbitrary password matches the hash, then how is it supposed to be used?

And for what it's worth, this is full disk encryption software, which means that the harddrive is encrypted with AES256 (or similar). The symmetric key for AES is encrypted using my password, so at the very least it'd be possible to attempt a decryption with the password that was presented and see if that works. But I even doubt that that happens -- it likely stores the hashed password for quick verification.


(Note: that's the actual line from my /etc/shadow file on my laptop -- if somebody can PM me my actual password, I'll send them a prize. I'll be *extremely* surprised if that happens, though, so it'll be an exceptionally nice prize. :) )

Offline Hitmen

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 1913
    • View Profile
Re: Matching passwords!
« Reply #12 on: October 24, 2008, 12:06:19 pm »
(Note: that's the actual line from my /etc/shadow file on my laptop -- if somebody can PM me my actual password, I'll send them a prize. I'll be *extremely* surprised if that happens, though, so it'll be an exceptionally nice prize. :) )
that sounds like a challenge!
Quote
(22:15:39) Newby: it hurts to swallow

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Matching passwords!
« Reply #13 on: October 24, 2008, 12:06:47 pm »
(Note: that's the actual line from my /etc/shadow file on my laptop -- if somebody can PM me my actual password, I'll send them a prize. I'll be *extremely* surprised if that happens, though, so it'll be an exceptionally nice prize. :) )
that sounds like a challenge!
That's logical, since it IS a challenge.

Good luck!

Offline Hitmen

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 1913
    • View Profile
Re: Matching passwords!
« Reply #14 on: October 24, 2008, 12:08:22 pm »
Dammit iago that was too easy. password isn't a very secure password!
Quote
(22:15:39) Newby: it hurts to swallow

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Matching passwords!
« Reply #15 on: October 24, 2008, 12:10:42 pm »
Damnit, must be a collision!

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Matching passwords!
« Reply #16 on: October 24, 2008, 12:58:49 pm »
Oh, right. The catch is that you have to know the unencrypted password. It didn't occur to me that such information was available, even though the screen shot clearly shows it is :P

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!