Recently, Adobe was hacked, resulting in, among other breakages, the loss of 130 million passwords. It was revealed that the passwords were encrypted using ECB, electronic cookbook mode, which is a rather poor way of securing passwords.
The MacRumors forum site was also hacked recently. The site runs the vBulletin forumware, which protects passwords using md5crypt.
md5crypt is a password hashing
scheme devised by Poul-Henning Kamp in 1995. The hashed password takes the
sha-crypt, from Ulrich Depper, is a public domain implementation of SHA-256/512-based password hashing, which works similarly to md5crypt, using SHA-256/512 and allowing an arbitrary number of rounds through the hashing algorithm.
The following commands build and run sha(256|512)crypt.c as self-test programs:
$ cc -DTEST -std=c99 -m32 sha256crypt.c $ ./a.out all tests OK $ cc -DTEST -std=c99 -m32 sha512crypt.c $ ./a.out all tests OK
Next, build shared library:
$ cc -std=c99 -m32 -fPIC -c sha256crypt.c $ cc -std=c99 -m32 -fPIC -c sha512crypt.c linux$ cc -m32 -shared -o libshacrypt.so *.o osx$ cc -m32 -shared -o libshacrypt.dylib *.o
Move the .so or .dylib file to where your plugins are.
PCPasswordCrypt is a Smalltalk interface to libshacrypt using NativeBoost. It is very simple to use:
PCPasswordCrypt sha256Crypt: 'Hello world!' withSalt: 'saltstring'. '$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5'
Tested on OSX (Mountain Lion) and Linux (Mint 14). The C programs work on FreeBSD, but my self-built FreeBSD Cog VM doesn't have NativeBoost.