Well what kind of string am I working with? For all I know, you could've hashed a whole book. Is there a length limit? (as there would very likely be if this was a password)
-----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 4:36 PM To: CF-Talk Subject: Re: pseudo-memory leak Tell you what. See how long it takes you to brute force this hash. Post the cleartext when you get it. 6AF59B04BA48B18C15E3CB3ACB2BA75B I want to see how long it takes you. On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > The passwords in windows are stored as hashes. They are not stored as > plaintext. In order to get the password, you would need to brute > force the hash. > > Cracking windows passwords is an old idea with a great set of tools > behind it. We are just using that knowledge to show that you > shouldn't store passwords in cookies, hashed or not. > > As far as I understand it, if you store something as a client > variable, there is no way for hacker to get at it (unless of course he > somehow gets into your database server, in which case all bets are > off). But if you store it as a cookie, it's much more vulnerable to foul play. > > > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 4:14 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > If you are an admin on the machine you could get the passwords even if > they weren't in cookies! If someone ever puts in their password at > all outside of ssl, you can sniff the password. If someone steals the > SAM file, what does it matter where I store the password or how I hash it? > > what does that have to do with cookies vs client variables and the > security impact of the two? > > On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > > Not, really. There are different ways of getting hashes. One is > > you can be an admin on the machine, and you can get the passwords of > > all the > users. > > Another way is to sniff it going across the network. You can also > > steal the SAM file and get the password that way. The point is, you > > don't always need to have a login on the system (or physical access > > to the machine) to get people's passwords off of it. > > > > -----Original Message----- > > From: Robertson-Ravo, Neil (RX) > > [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, November 29, 2005 3:22 PM > > To: CF-Talk > > Subject: RE: pseudo-memory leak > > > > LOL, isnt that just like saying - I can get into any computer which > > is locked......if you give me the password? > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225636 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
