Recently, Adobe was hacked, resulting in, among other breakages, the loss of 130 million passwords. It was revealed that the passwords were encrypted using ECB, electronic cookbook mode, which is a rather poor way of securing passwords.

The MacRumors forum site was also hacked recently. The site runs the vBulletin forumware, which protects passwords using md5crypt.

md5crypt is a password hashing scheme devised by Poul-Henning Kamp in 1995. The hashed password takes the format $1$$. The hash is designed to be expensive to compute, to slow down attacks. In 2012, Poul-Henning announced that md5crypt was no longer considered safe, in view of advances in computing power.

sha-crypt, from Ulrich Depper, is a public domain implementation of SHA-256/512-based password hashing, which works similarly to md5crypt, using SHA-256/512 and allowing an arbitrary number of rounds through the hashing algorithm.

The following commands build and run sha(256|512)crypt.c as self-test programs:

$ cc -DTEST -std=c99 -m32 sha256crypt.c
$ ./a.out
all tests OK
$ cc -DTEST -std=c99 -m32 sha512crypt.c
$ ./a.out
all tests OK

Next, build shared library:

$ cc -std=c99 -m32 -fPIC -c sha256crypt.c
$ cc -std=c99 -m32 -fPIC -c sha512crypt.c
linux$ cc -m32 -shared -o libshacrypt.so *.o
osx$ cc -m32 -shared -o libshacrypt.dylib *.o

Move the .so or .dylib file to where your plugins are.

PCPasswordCrypt is a Smalltalk interface to libshacrypt using NativeBoost. It is very simple to use:

PCPasswordCrypt sha256Crypt: 'Hello world!' withSalt: 'saltstring'.
'$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5'

Tested on OSX (Mountain Lion) and Linux (Mint 14). The C programs work on FreeBSD, but my self-built FreeBSD Cog VM doesn't have NativeBoost.

The C programs are found here. Once I figure out how, I'll put them on GitHub. PCPasswordCrypt is published on SqueakSource3.

Tags: cryptography, security