It is possible for passwords to be encrypted (i.e. with AES) and then
encoded with Base64 before storing it in DB.
What do you get after decoding those Base64 strings? Binary data?
wbr,
- Max
> Hi Everyone, I'm currently reviewing an app prior to launching to our
> prod. One of our security requirements is for the password to be
> encrypted.
> When i checked the password field in db, i noticed that all passwords
> are ending with a double equal sign e.g "==".
> I am under the impression that they are just base64 encoded rather
> than encrypted. However, i tried decoding it using base64 but i'm not
> getting a valid data.
>
> Am i right in saying that the password is encoded? If yes with what
> e.g. base64?
> How can i prove or show them that this the password is just encoded
> rather than encrypted?
> Or is it encrypted?
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
It is possible for passwords to be encrypted (i.e. with AES) and then
encoded with Base64 before storing it in DB.
What do you get after decoding those Base64 strings? Binary data?
wbr,
- Max
> Hi Everyone, I'm currently reviewing an app prior to launching to our
> prod. One of our security requirements is for the password to be
> encrypted.
> When i checked the password field in db, i noticed that all passwords
> are ending with a double equal sign e.g "==".
> I am under the impression that they are just base64 encoded rather
> than encrypted. However, i tried decoding it using base64 but i'm not
> getting a valid data.
>
> Am i right in saying that the password is encoded? If yes with what
> e.g. base64?
> How can i prove or show them that this the password is just encoded
> rather than encrypted?
> Or is it encrypted?
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]