[OWASP-Security101] hard coded password

João Paulo Ribeiro joao.paulo.ribeiro at live.com
Mon Jun 11 21:09:46 UTC 2012


Hi,

Hashing may not be enough. With only 5 bytes, it may be really easy to brute
force. Consider increasing password size and complexity if possible.

João Paulo Ribeiro | Principal QA Architect
www.maincheck.com


-----Original Message-----
From: security101-bounces at lists.owasp.org
[mailto:security101-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: sábado, 9 de Junho de 2012 19:51
To: MNMS srinivas
Cc: security101 at lists.owasp.org
Subject: Re: [OWASP-Security101] hard coded password

Try this: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

--
Jim Manico
VP, Security Architecture
WhiteHat Security
(808) 652-3805

On Jun 9, 2012, at 2:25 AM, MNMS srinivas <mnms.srinivas at gmail.com> wrote:

> Hi,
>
>           We are using an hardcoded password in our control system. 
> This password defined in an macro definition and any hacker can be 
> extracted the hardcoded password from the executable image.Assume this 
> hardcoded password has length of 5 bytes (letters).
>
>         Now i want to has the password using any standard algorithm. 
> Could you please suggest the suitable hashing algorithm for this 
> case.And how can we compare different  hashing algorithms ?
>
> Thanks
> Srinivas
>
>
>
> On Fri, May 11, 2012 at 5:30 PM,
<security101-request at lists.owasp.org>wrote:
>
>> Send Security101 mailing list submissions to
>>       security101 at lists.owasp.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>       https://lists.owasp.org/mailman/listinfo/security101
>> or, via email, send a message with subject or body 'help' to
>>       security101-request at lists.owasp.org
>>
>> You can reach the person managing the list at
>>       security101-owner at lists.owasp.org
>>
>> When replying, please edit your Subject line so it is more specific 
>> than "Re: Contents of Security101 digest..."
>>
>>
>> Today's Topics:
>>
>>  1. hard coded password (MNMS srinivas)  2. Re: hard coded password 
>> (Eric Brown)
>>
>>
>> ---------------------------------------------------------------------
>> -
>>
>> Message: 1
>> Date: Thu, 10 May 2012 18:00:30 +0530
>> From: MNMS srinivas <mnms.srinivas at gmail.com>
>> To: security101 at lists.owasp.org
>> Subject: [OWASP-Security101] hard coded password
>> Message-ID:
>>       
>> <CAO526Mhw5mJPvoyNRH=QXUEJiRF-TWWdo=qF80xJx6bwp=howA at mail.gmail.com
>>>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Hi all,
>>
>> What is the best way to replace/remove  the hard coded password from 
>> the binary image ?
>>
>> --
>> M.N.M.S.SRINIVAS.
>>
>>
>> BE GOOD DO GOOD
>>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 10 May 2012 17:18:28 -0500
>> From: Eric Brown <ericbrow at gmail.com>
>> To: security101 at lists.owasp.org
>> Subject: Re: [OWASP-Security101] hard coded password
>> Message-ID:
>>       
>> <CAPPm6m2Zm=1VHhUbBpx5fWTEsgkq0M0eEzRDBsoxXNajO4joNw at mail.gmail.com
>>>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Can you be a little more specific as to what kind of binary image?
>> Platform?  Device?  Software?  Image?  Document?
>>
>> On Thu, May 10, 2012 at 7:30 AM, MNMS srinivas 
>> <mnms.srinivas at gmail.com>
>> wrote:
>>> Hi all,
>>>
>>> What is the best way to replace/remove ?the hard coded password from 
>>> the binary image ?
>>>
>>> --
>>> M.N.M.S.SRINIVAS.
>>>
>>>
>>> BE GOOD DO GOOD
>>> _______________________________________________
>>> Security101 mailing list
>>> Security101 at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/security101
>>> List Run By OWASP
>>> List Admin: Michael.Coates at owasp.org
>>
>>
>> ------------------------------
>>
>> _______________________________________________
>> Security101 mailing list
>> Security101 at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/security101
>>
>>
>> End of Security101 Digest, Vol 4, Issue 2
>> *****************************************
>>
>
>
>
> --
> M.N.M.S.SRINIVAS.
>
>
> BE GOOD DO GOOD
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP
> List Admin: Michael.Coates at owasp.org
_______________________________________________
Security101 mailing list
Security101 at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/security101
List Run By OWASP
List Admin: Michael.Coates at owasp.org



More information about the Security101 mailing list