Clan x86
Technical (Development, Security, etc.) => General Security Information => Topic started by: iago on October 14, 2008, 12:00:45 pm
-
(http://www.javaop.com/~ron/images/screenshots/safeguard.png)
I just got that error message from Safeguard Easy (my laptop's encryption). Fortunately, my password only matched my own password, but what if it was somebody else's? It'd be good to know!
I think I need to superimpose "FAIL" on this. :)
-
lol, I wonder what genius thought it'd be a good idea to add in that little feature.
-
Well, that is the admin program, is it not? It might be good to know that you're not setting everyone to have the same passwords..
-
Well, that is the admin program, is it not? It might be good to know that you're not setting everyone to have the same passwords..
It lets you administrate your own account, though (I'm logged in as 'user', not as 'administrator')
-
Someone else is using SGE1188? That is fail.
-
Someone else is using SGE1188? That is fail.
Yes, because I naturally pick a password that matches the name of the software (SGE = Safeguard Easy) :P
-
Well that would make it easier to remember! :D
-
*changes forum password to something besides 'x86forum'*
I should check if anybody is using that for their password. :D
-
Unsalted crypto: fail.
-
Unsalted crypto: fail.
Hmm?
-
The fact that it knows the passwords match mean one of: there is no hash, the hash is not salted, or the salts are the same.
The first and third seem pretty unlikely, so I'm assuming that the hash is unsalted -> fail.
-
The fact that it knows the passwords match mean one of: there is no hash, the hash is not salted, or the salts are the same.
The first and third seem pretty unlikely, so I'm assuming that the hash is unsalted -> fail.
Err, no?
When you salt a password, they're stored together. For example, Linux passwords are storedl ike this:
ron:$1$C8i1C6/t$d.SI5o5dcBuLh5rF2DMU90:14153:0:99999:7:::
The first part ("C8i1C6/t") is the sale, and the second part ("d.SI5o5dcBuLh5rF2DMU90") is the hash. You can easily verify whether or not a password matches that salt. If you can't verify that an arbitrary password matches the hash, then how is it supposed to be used?
And for what it's worth, this is full disk encryption software, which means that the harddrive is encrypted with AES256 (or similar). The symmetric key for AES is encrypted using my password, so at the very least it'd be possible to attempt a decryption with the password that was presented and see if that works. But I even doubt that that happens -- it likely stores the hashed password for quick verification.
(Note: that's the actual line from my /etc/shadow file on my laptop -- if somebody can PM me my actual password, I'll send them a prize. I'll be *extremely* surprised if that happens, though, so it'll be an exceptionally nice prize. :) )
-
(Note: that's the actual line from my /etc/shadow file on my laptop -- if somebody can PM me my actual password, I'll send them a prize. I'll be *extremely* surprised if that happens, though, so it'll be an exceptionally nice prize. :) )
that sounds like a challenge!
-
(Note: that's the actual line from my /etc/shadow file on my laptop -- if somebody can PM me my actual password, I'll send them a prize. I'll be *extremely* surprised if that happens, though, so it'll be an exceptionally nice prize. :) )
that sounds like a challenge!
That's logical, since it IS a challenge.
Good luck!
-
Dammit iago that was too easy. password isn't a very secure password!
-
Damnit, must be a collision!
-
Oh, right. The catch is that you have to know the unencrypted password. It didn't occur to me that such information was available, even though the screen shot clearly shows it is :P