[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password

To: Cristiano Fujii <cristiano@veritel.com.br>
Subject: Re: Password
From: Ron Chmara <ron@opus1.com>
Date: Wed, 15 Nov 2000 14:18:44 -0700
Cc: LDAP-General <openldap-general@OpenLDAP.org>
References: <3A12C432.F02D2625@veritel.com.br>

Cristiano Fujii wrote:
> Hi all,
>     The    $entry->printLDIF    command return something like this:
> userpassword: {crypt}QxInOK0JnFxdI .    Can I get the password
> decrypted?

It doesn't store the password.

To repeat: It is *not* the password, so you can't decrypt it. If you
did "decrypt" it properly, the result would be "0000000....".

It works like this:

A block of zeros is encrypted, using the password itself as a way
of making a math problem. That math problem is then applied to
a known number (a block of zeros). The result of that math problem
is then stored. The "QxInOK0JnFxdI" you see is really a conversion
of that result, as in:
QxInOK0JnFxdI = 27328437235578293357233525823732267482537537895754283
1821101283781092783129382113621868218888.

This allows other computers to run the same math problem and compare
the _results_, without ever transmitting the math problem (the password)
itself.

As Kurt noted, your best bet to guess that math problem is to try
a brute force attack, where you feed a computer millions of possible
math problems (passwords), until you get the right number as a result.

An easy password can be broken in minutes to hours. A complex password
(say, 25 random characters) may take days to years.

-Ron

--
Brought to you from boop!, the dual boot Linux/Win95 Compaq Presario 1625
laptop, currently running RedHat 6.1. Your bopping may vary.

Follow-Ups:
- Re: Password
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Password
  - From: Cristiano Fujii <cristiano@veritel.com.br>

Prev by Date: Re: Password
Next by Date: Re: Password
Index(es):
- Chronological
- Thread