Quick security question
Dave Hull
dphull at gmail.com
Sat Feb 17 21:33:01 CST 2007
Interesting question.
Mathematically, the hashes of "testpass" and "tespass" are very
different, so obviously the passwd program isn't comparing hashes.
What is it comparing?
When a user runs the passwd program, they are prompted for their old
password and the password program stores that value, then the user is
prompted for a new password and the new value is compared to the old
value. The hashes themselves are not being compared.
When root runs the passwd program, it doesn't prompt for the old
password value so there's no comparison.
On 2/17/07, cragos at gmail.com <cragos at gmail.com> wrote:
> Can someone more familiar than I with the math behind one-way hashes
> explain how a hashed string is compared with a string in plaintext? I
> had a typo in the text I fed to passwd, and, when I went back in to
> fix the typo, I got an error message that read: "BAD PASSWORD: is too
> similar to the old one"
>
> Of course, that was easy enough to override as root, but it raises an
> interesting question. Anyone game to explain the math behind how it
> was able to tell?
>
> Thanks,
> Sean
> _______________________________________________
> Kclug mailing list
> Kclug at kclug.org
> http://kclug.org/mailman/listinfo/kclug
>
--
Dave Hull
More information about the Kclug
mailing list