IRC log for #neo900 on 20190313

00:40.43*** join/#neo900 Kabouik (~kabouik@37.171.88.33)
01:31.11*** join/#neo900 ArturShaik (~ArturShai@212.112.100.88)
02:27.53Joerg-Neo900xmn: absolutely, yes
02:40.24Joerg-Neo900sixwheeledbeast: interesting
04:10.19DocScrutinizer05my root password had 6 hits
04:15.14xmnoops
04:43.56*** join/#neo900 him-cesjf (~cesjf@unaffiliated/himcesjf)
06:20.47*** join/#neo900 ecloud (quassel@nat/qt/x-gaasyadqhjejiphh)
06:56.07atkno hits on anything important
06:56.53atkan old old old password I used
06:57.01atkwhich is generic enough to have been used by lots of other people
06:57.29atk5140 matches :D
07:04.37*** join/#neo900 tkok (~tkok@dtvg04yf1klnt6-c3bmty-3.rev.dnainternet.fi)
07:39.22DocScrutinizer05don't use the web interface at https://passwordsecurity.info/ !  https://github.com/technonerdz/passwordsecurity.info/issues/6
07:40.09DocScrutinizer05or if you do, c&p the password so only one query with full length passowrd gets generated
07:45.37xmn<PROTECTED>
07:49.10DocScrutinizer05yes, the local shellscript is safe
07:49.52DocScrutinizer05the web interface is NOT !!!
08:01.39xmnyeah, so the local one hashs your password and then check it against their database right?
08:11.08Joerg-Neo900xmn: right
08:11.53Joerg-Neo900actually it also truncates the hash to leading 5 chars
08:17.49Joerg-Neo900thanks to max-p of PIA for helping with the analysis of the web interface
08:21.29atkI didn't use the shellscript or the web-interface
08:21.37atkI just manually generated the hash and manually made the web requests
08:22.05atkI know there isn't much in that shell script, but who the fuck knows, I don't know bash that well, might be here's some missing character somewhere which would cause things to be interpreted "incorrectly"
08:27.29sixwheeledbeastYes it hashes the password and only sends the first 5 chars of the sha1 to the api. You receive the sha's that match and compare locally is how I read it. I assume I am reading the source of the script correctly and there is nothing else in there.
08:28.48Joerg-Neo900atk: the true geek's approach :-)
08:29.29sixwheeledbeastThe website (HIBP) can work the same if you sha1 your password first I believe but the website source would need checking each time. My only concern is bash will log the password in plaintext locally.
08:30.07sixwheeledbeastTime to change your root password I think Doc
08:30.15Joerg-Neo900how and where/why would bash log any of that?
08:30.41Joerg-Neo900of course my rot pw got changed hours ago
08:30.43Joerg-Neo900:-)
08:30.59Joerg-Neo900been about time anyway
08:31.00sixwheeledbeastIf you run the script on the shell the plaintext will be in history
08:31.27Joerg-Neo900that's why my recommendation is to run the script without parameters and provide the pw on prompt
08:31.52sixwheeledbeastand therefore ~/.bash_history
08:32.47sixwheeledbeastI see, I haven't played with it much yet just used some known passwords in to check
08:33.13sixwheeledbeastcorrecthorsebatterystaple for example
08:33.58Joerg-Neo900how many hits? :-D
08:34.28sixwheeledbeast114
08:34.38Joerg-Neo900low
08:36.47sixwheeledbeastI see so the prompt wouldn't be logged anywhere, the script will end therefore never stored to disk.
08:37.37Joerg-Neo900exactly. The usual way to deal with this, also used by passwd(1)
08:38.34sixwheeledbeastyes logins etc. compare the first part of the hash
08:41.20xmncool, good info guys thanks
08:42.19sixwheeledbeastIt's a handy little script to have in your toolbox
08:44.16Joerg-Neo900sixwheeledbeast: >>...website (HIBP) can work the same if you sha1 your password...<< https://passwordsecurity.info/ does exactly same like script, incl generating SHA from plaintext password locally, according to Max-P's analysis
08:45.00*** join/#neo900 bemyak (~bemyak@195.26.185.118)
08:48.24sixwheeledbeastI see it just hooks into the HIBP API. What are your concerns over the website versions? I personally wouldn't use a website for this as I would want to check over the source of the site each time I need it, it may have been compromised.
08:54.04Joerg-Neo900sixwheeledbeast: it does incremental search, thus the first query sent out is for exactly one out of max 256 chars, it's dead simple to reverse the hash to conclude the single char
08:54.36Joerg-Neo900the next query is for the hash of a 2char password, of which first char is known from last query
08:54.53Joerg-Neo900so again one out of 256 choices
08:56.07Joerg-Neo900this way you "recursively" or iteratively reveal the complete password from snooping HTML traffic as it is typed, in realtime
08:58.09sixwheeledbeastoh I believed it would send the first part of the sha and match locally. Also site is https like the API to reduce risk of leaking the sha1
08:58.35Joerg-Neo900yes, HTTPS defeats a worst case scenario here
08:59.09Joerg-Neo900it actually does >>send the first part of the sha and match locally<<
08:59.40Joerg-Neo900but that first 5 chars of SHA are more than sufficient to discern between 256 possible solutions to find the right one
09:00.24sixwheeledbeastSo similar risk with the API then?
09:01.14Joerg-Neo900no since the local version only does ONE query for full length password, no incremental search
09:01.49Joerg-Neo900the website does one query for each char you type
09:02.05sixwheeledbeastoh I see, you can unhash each of the 5 sent chars for sure even without the rest of the hash
09:02.29sixwheeledbeastnot unhash
09:02.39Joerg-Neo900nah, those 5chars are truncated SHA sum, not truncated password
09:02.58xmnsixwheeledbeast: makes a good point on that the site could be comprised at some other time. Where as the script will stay the same and hash locally.
09:04.31Joerg-Neo90012345678X will still send a different truncated 5char hash than 12345678O
09:05.25sixwheeledbeastI understand I am just not explaining verbosely. You have reduced the amount of hashs it isn't because it has been sent 1+2+3+4+5 times
09:06.37Joerg-Neo900!md5 s
09:06.44Joerg-Neo900~md5 s
09:06.49Joerg-Neo900~md5 sk
09:06.54Joerg-Neo900~md5 skr
09:06.59Joerg-Neo900~md5 skri
09:07.04Joerg-Neo900~md5 skrit
09:08.04Joerg-Neo90003c7 41d6 1542 6243 eaef  <- completely describes "skrit"
09:12.50Joerg-Neo900is fond of this terse explanation by example of above 11 lines :-)
09:41.52*** join/#neo900 _Chris_ (~Chris@p5DE1A6CD.dip0.t-ipconnect.de)
10:36.54*** join/#neo900 Kabouik (~kabouik@45.6.104.128)
11:26.47*** join/#neo900 Kabouik (~kabouik@138.117.51.199)
11:34.09*** join/#neo900 Kabouik (~kabouik@138.117.51.199)
12:19.47*** join/#neo900 unclouded (~quassel@121.72.242.153)
12:58.29atksixwheeledbeast: That's what I read from the shell script
12:59.07atksixwheeledbeast: but, I ... well
12:59.13atkI just don't trust such things even when it's so obvious
12:59.17atkI've seen IOCCC
12:59.23atkI'm now going to be working in infosec as of next month
12:59.29atkYou can say I'm paranoid
13:05.11*** join/#neo900 him-cesjf (~cesjf@unaffiliated/himcesjf)
13:10.15*** join/#neo900 Kabouik (~kabouik@138.117.51.199)
15:20.05Joerg-Neo900so enjoy my augmented ticket ;-) https://github.com/technonerdz/passwordsecurity.info/issues/6
15:55.14*** join/#neo900 clapont (~clapont@unaffiliated/clapont)
16:34.28*** join/#neo900 Kabouik (~kabouik@138.117.51.199)
16:51.45*** join/#neo900 Kabouik (~kabouik@138.117.51.199)
17:16.24*** join/#neo900 _Chris_ (~Chris@p5DE1A6CD.dip0.t-ipconnect.de)
17:46.51*** join/#neo900 xmn (~xmn@user-0cdft2n.cable.mindspring.com)
17:57.21*** join/#neo900 xmn (~xmn@user-0cdft2n.cable.mindspring.com)
18:30.27*** join/#neo900 xmn (~xmn@user-0cdft2n.cable.mindspring.com)
19:14.45*** join/#neo900 clapont (~clapont@unaffiliated/clapont)
19:22.14galiven_For bash at least, putting a space before the actual command won't log to ~./bash_history
21:09.29*** join/#neo900 him-cesjf (~cesjf@unaffiliated/himcesjf)
22:17.32*** join/#neo900 fling (~fling@fsf/member/fling)
22:39.27*** join/#neo900 Pali (~pali@Maemo/community/contributor/Pali)
22:41.42*** join/#neo900 pagurus (~user@i577B75AF.versanet.de)
23:24.08*** join/#neo900 c4rc4s (~c4rc4s@unaffiliated/c4rc4s)

Generated by irclog2html.pl Modified by Tim Riker to work with infobot.