Am 11.02.2013 14:38, schrieb Donald Stufft: > On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote: >> Giovanni Bajo wrote: >>> Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller >>> <[email protected] <mailto:[email protected]>> ha scritto: >>> >>>> Actually I was thinking about this in the shower: the likelihood >>>> that pypi users used the same passwords as they did on the wiki is >>>> probably much higher than any of us assume. >>> >>> Given that the passwords were unsalted in both instances, a set >>> intersection is enough to verify. >> >> The moin wiki passwords were salted. >> >> The reason we reset the passwords, was that the attackers had >> access to both the salt and the hashes. >> > What were they hashed with? Even with a salt a fast hash is trivial to > bruteforce for a large number of passwords in practically no time > with trivial hardware.
It uses SSHA, that's sha1(password + salt) with a seven char salt. Chrisitan _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
