Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

CAPICOM 1

Status
Not open for further replies.

Swi

Programmer
Feb 4, 2002
1,965
US
I came across this in a search and it seems that this is vulnerable to many password crackers. I believe this code snippet was from strongm.

Public Sub Example2()
Dim myHash As HashedData

Set myHash = New HashedData
myHash.Algorithm = CAPICOM_HASH_ALGORITHM_SHA_512
myHash.Hash StrConv("Hello", vbFromUnicode) ' for the sake of this example we are converting the string so we match earlier API solution
MsgBox myHash.Value
End Sub

Even using SHA-512 it is cracked. Using CAPICOM is there a way around this?

Thanks.

Swi
 
Sorry,where do you get the info that SHA-2, and in particular the SHA-512 variant, is compromised?
 
Hi strongm,

I tried a site:
Seems to be able to crack any hashed password I give it with the above code.

Now, if I remove the strconv function it does not crack it due to it being unicode.

Thanks.

Swi
 
This is NOT a crack of SHA-2

(and yes, that is my code - from thread222-1548222)
 
I understand however the website above is deciphering it consistently unless I leave as unicode or provide a unique or static salt to it.

Swi
 
When it comes to passwords, the use of hashing does not obviate the requirement to follow good password practice, such as using strong passwords. So if I take a fairly typical password rule (Microsoft's length and complexity rule):

Passwords must have at least 8 characters.
Passwords must contain characters from three of the following five categories: [ul]
[li]Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)[/li]
[li]Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)[/li]
[li]Base 10 digits (0 through 9)[/li]
[li]Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}:;"'<>,.?/[/li]
[li]Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.[/li]
[/ul]
I might end up with a password such as A1biker! - for which Crackstation does not have a precomputed SHA-512 hash to look up (even though it isn't a particularly strong password)

Further, if you are working with passwords (rather than generating a simple hash digest, which is what my original code does), then the hashes should always be properly salted (as Crackstation itself points out)

(oh, and just to be pedantic, Crackstation is not doing any deciphering)

 
Ok, salts it is. Thanks.

Swi
 
You do know that CAPICOM is a dead technology now, right?

It can be jammed into Win7 but isn't recommended, and it doesn't work at all in current versions of Windows.
 
So it does, you just need to install the SDK and then manually install the DLL as described in the readme.txt file from the SDK.

Good to know for keeping old programs alive.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top