Recent Features
| |||||||||||||
More serious in some localesMore serious in some localesPosted Jun 24, 2011 0:18 UTC (Fri) by solardiz (guest, #35993)In reply to: More serious in some locales by Cato Parent article: A hole in crypt_blowfish
Here's my analysis for Russian words in koi8-r and utf-8: http://www.openwall.com/lists/oss-security/2011/06/24/1
Some excerpts:
"Lengths that are _not_ at risk: 1, 2, 4, 6, 8, 10, 12, 14, 16, 18.
For 97946 different Russian words, I got "70890 (72%) and 97213 (99%) unique hashes for koi8-r and utf-8, respectively."
"For koi8-r, 22 hashes are seen over 100 times each, with the top one being seen 190 times. For utf-8, the top hash (most common) is seen 4 times, then 84 hashes are seen 3 times each.
Thus, obviously the bug does cause collisions. There are not as many of those as some people might expect for nearly purely 8-bit inputs. Yet the very common hashes for koi8-r are worrisome. Even though if one were to run the entire koi8-r wordlist against a bunch of hashes they'd only achieve a 30% speedup due to the bug, if they focus on words producing 22 top hashes - so they only try 22 words - they'd crack around 3% of passwords based on randomly picked words from that list (assuming uniform distribution of random word numbers). For utf-8, this risk is much lower: trying top 85 passwords (0.087% of candidates) effectively tests 256 of them (0.26%)."
(Log in to post comments)
More serious in some locales Posted Jun 24, 2011 7:48 UTC (Fri) by Cato (subscriber, #7643) [Link]
Thanks for the analysis - not as serious as I thought, but it makes sense that using KOI8-R results in more duplicate hashes than UTF-8.
More serious in some locales Posted Jun 24, 2011 16:17 UTC (Fri) by kozerog (guest, #75519) [Link]
I'm surprised anyone still uses KOI8-R instead of UTF-8.
|
|||||||||||||