My guess that in most systems password is stored in plain text in database.
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Web developers
Collapse
X
-
-
Originally posted by SysmanYep, and with a salt too. Remember that if you rename or copy a user record you need to ask for a new password and regenerate the hash.
Since Daleks have a limited vocabulary, more than one might choose a password of "exterminate". Using this method, Dalek1, Dalek2 etc would end up with different hash values.Comment
-
Originally posted by AtWMy guess that in most systems password is stored in plain text in database.
HTHComment
-
Originally posted by DimPrawnyes, in a table named passwords in a database name db, located in the root of C:\
HTHComment
-
Originally posted by DiestlMost talented developers these days work in web developement due to the complex nature of the various levels one needs to think about. e.g. sessions/stateless nature/ajax/web services/caching.
When you're working on a 24 hour, real time, global trading system, you'll find that, "I'm a web developer" won't cut it.Comment
-
Originally posted by AtWMy guess that in most systems password is stored in plain text in database.
Here's some info on Oracle passwords:
http://www.red-database-security.com...passwords.html
Oracle brute force attacks / Oracle Password Decryption
It is not possible to decrypt a hashstring but (with) the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)
10 seconds to calculate all 5-ascii-character-combinations
5 minutes to calculate all 6-ascii-character-combinations
2 hours to calculate all 7-ascii-character-combinations
2,1 days to calculate all 8-ascii-character-combinations
57 days to calculate all 9-ascii-character-combinations
4 years to calculate all 10-ascii-character-combinations
You should always use strong and long passwords to avoid brute force or dictionary attacks.Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
-
This is how database itself stores user passwords - which is certainly reasonably secure, where as I am talking about developers who in my view would more often than not choose to store password in plain text in their own designed tables.Comment
-
Originally posted by AtWThis is how database itself stores user passwords - which is certainly reasonably secure, where as I am talking about developers who in my view would more often than not choose to store password in plain text in their own designed tables.
Oh, since you mentioned MD5 and SHA-1, here's a snippet for you
http://dev.mysql.com/doc/refman/5.0/...functions.html
"Note: Exploits for the MD5 and SHA-1 algorithms have become known. You may wish to consider using one of the other encryption functions described in this section instead."Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
-
Indeed, there is really no excuse. As for exploits of MD5 and SHA1 - if you read in details they are pretty much theoretical, this kind of attack can only be mounted by Govt entities and those guys would prefer to use simple methods - a few broken fingers and person in question will give all passwords they want.Comment
-
Originally posted by AtWAs for exploits of MD5 and SHA1 - if you read in details they are pretty much theoretical, this kind of attack can only be mounted by Govt entities and those guys would prefer to use simple methods - a few broken fingers and person in question will give all passwords they want.Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Secondary NI threshold sinking to £5,000: a limited company director’s explainer Dec 24 09:51
- Reeves sets Spring Statement 2025 for March 26th Dec 23 09:18
- Spot the hidden contractor Dec 20 10:43
- Accounting for Contractors Dec 19 15:30
- Chartered Accountants with MarchMutual Dec 19 15:05
- Chartered Accountants with March Mutual Dec 19 15:05
- Chartered Accountants Dec 19 15:05
- Unfairly barred from contracting? Petrofac just paid the price Dec 19 09:43
- An IR35 case law look back: contractor must-knows for 2025-26 Dec 18 09:30
- A contractor’s Autumn Budget financial review Dec 17 10:59
Comment