On 11.02.2013 14:49, Christian Heimes wrote: > Am 11.02.2013 14:38, schrieb Donald Stufft: >> On Monday, February 11, 2013 at 8:15 AM, M.-A. Lemburg wrote: >>> Giovanni Bajo wrote: >>>> Il giorno 11/feb/2013, alle ore 13:25, Jesse Noller >>>> <[email protected] <mailto:[email protected]>> ha scritto: >>>> >>>>> Actually I was thinking about this in the shower: the likelihood >>>>> that pypi users used the same passwords as they did on the wiki is >>>>> probably much higher than any of us assume. >>>> >>>> Given that the passwords were unsalted in both instances, a set >>>> intersection is enough to verify. >>> >>> The moin wiki passwords were salted. >>> >>> The reason we reset the passwords, was that the attackers had >>> access to both the salt and the hashes. >>> >> What were they hashed with? Even with a salt a fast hash is trivial to >> bruteforce for a large number of passwords in practically no time >> with trivial hardware. > > It uses SSHA, that's sha1(password + salt) with a seven char salt.
Right, should have added that information. BTW: I wonder why salt and password are usually stored together in the same place. The moin implementation also did not add any application salt to the password string before calculating the hash value (ie. x = hash(random_salt + application_salt + password)). Not sure whether passlib does, either. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 11 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
