On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said: > This isn't a password disclosure, it's a leak of password information. > > It's a password hash, you super hacker. And given the hash, and knowledge of how the hash is computed, it becomes possible to dictionary-attack (and other related techniques), and thus get the actual passwords, unless there are other things in place to ensure that all users have passwords sufficiently strong to resist those techniques. And given that this: > http://remote_server/data/users.0.dat works, the probability that the hashes represent strong passwords is quite close to nil. In any *practical* sense, the fact that the attacker can get the hash and from that extract/compute at least some passwords means that the passwords are *effectively* disclosed, even if the actual bitstring originally retrieved isn't the actual password.
Attachment:
pgpEkGgSzLxVZ.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/