[Wine] WineHQ database compromise
josh at iswifter.net
Wed Oct 12 15:35:55 CDT 2011
On Oct 12, 2011, at 5:58 AM, Jeremy White wrote:
> The current form of that is a fairly complex salted sha 256 string. However,
> that started in bugzilla version 4, which was released only this year.
> For passwords encrypted in bugzilla prior to that, a simple crypt() was used.
> I haven't yet looked at the bugzilla code to determine if it was salted or not,
> or exactly how that crypt() was called. The encrypted text is roughly the same
> length as a 64 bit DES encryption.
> The appdb uses the sha1() mysql function which is a straight forward sha1sum.
> I won't claim to be a cryptography expert, as I'm not. My back of the envelope
> analysis is that if you have a moderately complex password, you will likely
> be safe from any straight forward attempts to crack your password. You may still
> be at risk to an extended brute force attack. But here my ignorance kicks in;
> I don't know where the curve of password length + complexity matches the curve
> of 'time required to brute force an sha1'.
I'm not a cryptographer either, but note that SHA-1 is used by Git and others for its speed. For hashing passwords, this is a bug, not a feature -- checking passwords should be slow rather than quick. One hash function designed for passwords is bcrypt().
More information about the wine-users