On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:
> If a correct password hash digit is guessed, the admin's name will show up
> as an online user, in the online user list at the bottom of the forum
> page. After the password hash is determined, it is then placed in the
> cookie and access is granted to the site.
I am just wondering... You are talking about guessing a 33-digit
hexadecimal number?
Even if there are 1.000 admin passwords in the hash-space and you
succeed finding one after only searching 10% of space and you are
checking about 1.000.000 hashs per second. You won't finish until the
sun goes nova (which is rather impractical, especially for CPU-
cooling).
I believe this is a theoretical attack against phpBB 2.0, but maybe I
missed some magic in the way phpBB generates these password hashs,
acutally I haven't looked at the code.
On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:
> If a correct password hash digit is guessed, the admin's name will show up
> as an online user, in the online user list at the bottom of the forum
> page. After the password hash is determined, it is then placed in the
> cookie and access is granted to the site.
I am just wondering... You are talking about guessing a 33-digit
hexadecimal number?
Even if there are 1.000 admin passwords in the hash-space and you
succeed finding one after only searching 10% of space and you are
checking about 1.000.000 hashs per second. You won't finish until the
sun goes nova (which is rather impractical, especially for CPU-
cooling).
I believe this is a theoretical attack against phpBB 2.0, but maybe I
missed some magic in the way phpBB generates these password hashs,
acutally I haven't looked at the code.
Regards,
Konrad
--
Konrad Rieck <kr (at) roqe (dot) org [email concealed]> --------------------------------------------+
Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub |
Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 -------+
[ reply ]