decrypting htpasswd

Benjamin J. Weiss benjamin at birdvet.org
Mon Jan 24 20:26:01 UTC 2005 

Steve Phillips wrote:

> On Mon, 24 Jan 2005, Benjamin J. Weiss wrote:
>
>> Mulley, Nikhil wrote:
>>
>>> [I am not talking abt Cracking..] This is however to say that I 
>>> ensure my security and warn others abt their security as well..
>>> as earlier said ..the password file has two fields...
>>> Username:Password
>>> the password is in DES (hashed)Encryption format..
>>> so I think there is a way to Rip it with John...
>>>
>> 1) If you intentionally acquired this file without the permission of 
>> the server's owner, you have violated federal law.
>> 2) If you accidentally acquired this file and then attempt to crack 
>> the password, you have violated federal law.
>
>
> Except that the world is not the USA and there are still many 
> countries where this is entirely legal, or does not fall under 
> "federal" law. While his originating IP appears to be in Calafornia, 
> he may actually be on the other side of the world.
>
True, he could easily have bounced off of another host.  I broke the 
cardinal rule...I made an unproven assumption that his IP showed that he 
was in fact in the US.  Mea Culpa. :)

> Morally your arguments hold up but claiming this on an international 
> mailing list is a little silly.
>
Yep, true.  I need to go upstairs and ask our legal dept. about 
international treaties on cracking.  Of course, I'd have to know what 
country he's in, if not the USA.

>> If you truly came upon this file accidentally and you want to warn 
>> the owners about their security, simply give them a copy of the file 
>> you captured and then delete it.
>>
>> I work for a state law-enforcement agency.  If you wish assistance in 
>> contacting the server owners, please contact me off-list.
>
>
> There are actually rather legitimate reasons for wanting to crack a 
> password file. this may be the only record of a password used by a 
> previous employee who has locked other records with the same password 
> but the hash is in a more secure form *shrug* who knows.
>
I agree that there are legitimate reasons.  However, in his original 
post, he said:

> [Meant for Linux Hackers...Well I know all here belong to the same community ;)]
> However , I have managed to get the htpasswd file of some other site..

Which certainly suggested that he was attempting to attain assistance in 
an illicit and possibly illegal activity.

<snip>

More information about the redhat-list mailing list