search for: selphie

On Thu, Jul 21, 2016 at 12:31 PM, Selphie Keller <selphie.keller at gmail.com> wrote: > Ahh i see, just got up to speed on the issue, so seems like the issue is > related to blowfish being faster then sha family hashing for longer length > passwords, or the system's crypt() not understanding $2a$ -style salts, which mos...

I thought this was already addressed with the internal blowfish hash of "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK" to where all passwords were checked against this to prevent timing analysis for user enumeration. On 20 July 2016 at 19:45, Darren Tucker <dtucker at zip.com.au> wrote: > On Tue, Jul 19, 2016 at 11:10 PM, C0r3dump3d <coredump at

On Wed, Jul 20, 2016 at 09:02:57PM -0600, Selphie Keller wrote: > I wonder if could be useful to set the fall back account to something user > defined to avoid suggesting people add passwords to root, though I do like > root since the account is always there, Since committing that diff I've heard of people running in production with...

On Thu, Jul 21, 2016 at 1:34 PM, Selphie Keller <selphie.keller at gmail.com> wrote: > yeah I like this idea, fixes the issue with blowfish hashes and non root > passwords, maybe random delay as the final fall back if no salts/passwords > are found. Well if there are no accounts with a valid salt then there's also no v...