A hole in crypt_blowfish
Posted Jun 22, 2011 21:22 UTC (Wed) by jzbiciak
(✭ supporter ✭
In reply to: A hole in crypt_blowfish
Parent article: A hole in crypt_blowfish
I'm not sure I follow. Suppose my password was "ab£", as given in the article. With this bug, someone could log in as me with simply "£", or "xy£".
If you have a corrected library and are generating fresh hashes, no prohibition on char 255 or any high-bit-set character is necessary. If you're trying to let in folks with high-bit-set characters and old hashes (so that they can fix their passwords), the char 255 restriction achieves nothing.
What was your goal again?
to post comments)