[Wine] WineHQ database compromise

Josh Juran josh at iswifter.net
Wed Oct 12 15:35:55 CDT 2011


On Oct 12, 2011, at 5:58 AM, Jeremy White wrote:

> The current form of that is a fairly complex salted sha 256 string.  However,
> that started in bugzilla version 4, which was released only this year.
> 
> For passwords encrypted in bugzilla prior to that, a simple crypt() was used.
> I haven't yet looked at the bugzilla code to determine if it was salted or not,
> or exactly how that crypt() was called.  The encrypted text is roughly the same
> length as a 64 bit DES encryption.
> 
> The appdb uses the sha1() mysql function which is a straight forward sha1sum.
> 
> I won't claim to be a cryptography expert, as I'm not.  My back of the envelope
> analysis is that if you have a moderately complex password, you will likely
> be safe from any straight forward attempts to crack your password.  You may still
> be at risk to an extended brute force attack.  But here my ignorance kicks in;
> I don't know where the curve of password length + complexity matches the curve
> of 'time required to brute force an sha1'.

I'm not a cryptographer either, but note that SHA-1 is used by Git and others for its speed.  For hashing passwords, this is a bug, not a feature -- checking passwords should be slow rather than quick.  One hash function designed for passwords is bcrypt().

Josh





More information about the wine-users mailing list