On Tue, Sep 13, 2011 at 5:53 AM, Mrunal Nerpawar <p.mru...@gmail.com> wrote: > I have a use case for one of the product that I work on. I need to know if > the passwords on the unix machines are weak. > The passwords are hashed using blowfish algorithm. I shall be doing > dictionary encryption using blowfish API to find the weak passwords. > > I am using openssl/blowfish for this matter. > So, I have already generated hash from Unix machine and i need to hash the > words from dictionary to match them. It would probably be easier to use John the Ripper. Solar Designer recently updated to include code to check for an implementation bug in BlowFish (in case the password was hashed with the defective implementation). See http://lists.randombit.net/pipermail/cryptography/2011-July/001115.html.
> Very first question here is, Can I really do so using blowfish? > If yes, what is the salt that should be used to encrypt the guess word? See answer 1. > Which blowfish API should be used ? ( Considering the fact that the ivec > information is not available, please correct me if I am wrong) Use the EVP_* functions with blowfish cipher object. Its easier than using the low level stuff directly. > What is the format of the output? Is it same as what is stored in > /etc/shadow on Unix? No, the output of OpenSSL is raw bytes. > I practically tried many ways to get my use case working, however, all did > not help me. > Therefor, coming back to square one and asking all these basic questions. > May be I am missing something in the usage. They could be weak, but you might not be able to detect they are weak. Your success using the dictionary will depend upon the algorithm and the dictionary. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
