Seems like it is taking him a while ;-)
-----Original Message----- From: Ryan Guill [mailto:[EMAIL PROTECTED] Sent: 29 November 2005 21:52 To: CF-Talk Subject: Re: pseudo-memory leak Ill give you another. Just to make sure its all kosher. Lets say a normal password string, could include numbers and letters, max length of 20, min length of 6. That should narrow it down some for you. No spaces either. 997DA8FE4C40296C21CE8E1EB9BDC5B6 On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > Well what kind of string am I working with? For all I know, you could've > hashed a whole book. Is there a length limit? (as there would very likely > be if this was a password) > > -----Original Message----- > From: Ryan Guill [mailto:[EMAIL PROTECTED] > Sent: Tuesday, November 29, 2005 4:36 PM > To: CF-Talk > Subject: Re: pseudo-memory leak > > Tell you what. See how long it takes you to brute force this hash. > Post the cleartext when you get it. > > 6AF59B04BA48B18C15E3CB3ACB2BA75B > > I want to see how long it takes you. > > On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > > The passwords in windows are stored as hashes. They are not stored as > > plaintext. In order to get the password, you would need to brute > > force the hash. > > > > Cracking windows passwords is an old idea with a great set of tools > > behind it. We are just using that knowledge to show that you > > shouldn't store passwords in cookies, hashed or not. > > > > As far as I understand it, if you store something as a client > > variable, there is no way for hacker to get at it (unless of course he > > somehow gets into your database server, in which case all bets are > > off). But if you store it as a cookie, it's much more vulnerable to foul > play. > > > > > > > > -----Original Message----- > > From: Ryan Guill [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, November 29, 2005 4:14 PM > > To: CF-Talk > > Subject: Re: pseudo-memory leak > > > > If you are an admin on the machine you could get the passwords even if > > they weren't in cookies! If someone ever puts in their password at > > all outside of ssl, you can sniff the password. If someone steals the > > SAM file, what does it matter where I store the password or how I hash it? > > > > what does that have to do with cookies vs client variables and the > > security impact of the two? > > > > On 11/29/05, Russ <[EMAIL PROTECTED]> wrote: > > > Not, really. There are different ways of getting hashes. One is > > > you can be an admin on the machine, and you can get the passwords of > > > all the > > users. > > > Another way is to sniff it going across the network. You can also > > > steal the SAM file and get the password that way. The point is, you > > > don't always need to have a login on the system (or physical access > > > to the machine) to get people's passwords off of it. > > > > > > -----Original Message----- > > > From: Robertson-Ravo, Neil (RX) > > > [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, November 29, 2005 3:22 PM > > > To: CF-Talk > > > Subject: RE: pseudo-memory leak > > > > > > LOL, isnt that just like saying - I can get into any computer which > > > is locked......if you give me the password? > > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:225680 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54