Re[2]: UserID and hashed password for Lotus Domino

From: Philip Storry (philat_private)
Date: Sun Oct 20 2002 - 12:45:21 PDT

Next message: Dragos Ruiu: "Re: Covert Channels"

Previous message: Philip Storry: "Re[2]: UserID and hashed password for Lotus Domino"
Next in thread: jeffat_private: "Re: UserID and hashed password for Lotus Domino"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Sherlog,

Saturday, October 19, 2002, 1:25:59 AM, you wrote:

S> As a side note, one iteration of the MD5 compression function takes about 300
S> cycles on a Pentium and 500 cycles on a Pentium 4 (but significantly less if
S> SIMD instructions are used to to hash 4 blocks at the same time), and an
S> optimized brute-force password searcher can be expected to work at
S> approximately this rate. More than one million trials per second is the
S> ballpark figure your subconscious should serve up if talk comes to
S> brute-forcing passwords ...

But you can't make the trials yourself. You have to make them via the
Notes C API - which both introduces an overhead and, if I recall
correctly, also introduces artificial delays if it finds you making
many failed requests to unlock an ID file.

(Although there may be a way in the API to bypass the artificially
generated delays...)

S> This means a normal-sized dictionary can be processed in less than a second
S> and all variants derived by appending a single letter/digit can be processed
S> in less than a minute - if somebody bothers to reverse-engineer the Lotus
S> password hash in order to create an optimized implementation. 

If you reverse-engineer the whole ID file structure and the hash, then
yes you could do this. The program that attacks ID files which was
kindly suggested to the list uses the Notes C API, so it requires no
knowledge of the ID file format or the hash - it simply keeps asking
Notes to unlock the file with different passwords. The Internet hash
cracker seems to do it a similar way.

(Why else would they both require the Lotus Notes programs to be in
the path?)

S> Password hashes that are word-readable anonymously via the Internet are not a
S> security hole? LOL

Oh, they are a security hole. Go back and read my message. They should
never have been readable anonymously - someone has screwed up in
securing what is only the most important database in a Domino
environment. :-(

-- 
Best regards,
 Philip                            mailto:philat_private

Next message: Dragos Ruiu: "Re: Covert Channels"
Previous message: Philip Storry: "Re[2]: UserID and hashed password for Lotus Domino"
Next in thread: jeffat_private: "Re: UserID and hashed password for Lotus Domino"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 08:23:43 PDT