Known hash replay attack

|
The use of client side password hashing in web application (such as http://pajhome.org.uk/crypt/md5/) may be on the rise. At least it appears that way to me as I have seen several deployments lately.

These hashing libraries usually promises to keep a user's password secure in non ssl environments.
One could argue that they perform the intended task. The problem with http traffic compared to https is that the traffic is obtainable by anyone else connected to the same network as the user (or the server). If an attacker obtains the hashed password string he or she can provide the hash to the server to authenticate as the user without knowing the users actual password.

This does mean that the user's plaintext password is safe until the hacker breaks it so for users who use the same password everywhere, there is a marginal protection when websites use hashed passwords. It's still a far cry from the relative security of submitting sensitive data over a SSL encrypted connection.

The March addition to Jason is iterate.pl, a script which iterates numeric values in passwords.
~/Jason$ ./iterate.pl password1
password1
password0
password2
password3
password4
password5
password6
password7
password8
password9

You can grab a copy from the github project page: https://github.com/wireghoul/Jason
No Clean Feed - Stop Internet Censorship in Australia
Creative Commons License
This weblog is licensed under a Creative Commons License.