My guess that in most systems password is stored in plain text in database.
- Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
- Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!
Web developers
Collapse
X
-
-
Originally posted by SysmanYep, and with a salt too. Remember that if you rename or copy a user record you need to ask for a new password and regenerate the hash.
Since Daleks have a limited vocabulary, more than one might choose a password of "exterminate". Using this method, Dalek1, Dalek2 etc would end up with different hash values.Comment
-
Originally posted by AtWMy guess that in most systems password is stored in plain text in database.
HTHComment
-
Originally posted by DimPrawnyes, in a table named passwords in a database name db, located in the root of C:\
HTHComment
-
Originally posted by DiestlMost talented developers these days work in web developement due to the complex nature of the various levels one needs to think about. e.g. sessions/stateless nature/ajax/web services/caching.
When you're working on a 24 hour, real time, global trading system, you'll find that, "I'm a web developer" won't cut it.Comment
-
Originally posted by AtWMy guess that in most systems password is stored in plain text in database.
Here's some info on Oracle passwords:
http://www.red-database-security.com...passwords.html
Oracle brute force attacks / Oracle Password Decryption
It is not possible to decrypt a hashstring but (with) the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)
10 seconds to calculate all 5-ascii-character-combinations
5 minutes to calculate all 6-ascii-character-combinations
2 hours to calculate all 7-ascii-character-combinations
2,1 days to calculate all 8-ascii-character-combinations
57 days to calculate all 9-ascii-character-combinations
4 years to calculate all 10-ascii-character-combinations
You should always use strong and long passwords to avoid brute force or dictionary attacks.Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
-
This is how database itself stores user passwords - which is certainly reasonably secure, where as I am talking about developers who in my view would more often than not choose to store password in plain text in their own designed tables.Comment
-
Originally posted by AtWThis is how database itself stores user passwords - which is certainly reasonably secure, where as I am talking about developers who in my view would more often than not choose to store password in plain text in their own designed tables.
Oh, since you mentioned MD5 and SHA-1, here's a snippet for you
http://dev.mysql.com/doc/refman/5.0/...functions.html
"Note: Exploits for the MD5 and SHA-1 algorithms have become known. You may wish to consider using one of the other encryption functions described in this section instead."Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
-
Indeed, there is really no excuse. As for exploits of MD5 and SHA1 - if you read in details they are pretty much theoretical, this kind of attack can only be mounted by Govt entities and those guys would prefer to use simple methods - a few broken fingers and person in question will give all passwords they want.Comment
-
Originally posted by AtWAs for exploits of MD5 and SHA1 - if you read in details they are pretty much theoretical, this kind of attack can only be mounted by Govt entities and those guys would prefer to use simple methods - a few broken fingers and person in question will give all passwords they want.Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
- Home
- News & Features
- First Timers
- IR35 / S660 / BN66
- Employee Benefit Trusts
- Agency Workers Regulations
- MSC Legislation
- Limited Companies
- Dividends
- Umbrella Company
- VAT / Flat Rate VAT
- Job News & Guides
- Money News & Guides
- Guide to Contracts
- Successful Contracting
- Contracting Overseas
- Contractor Calculators
- MVL
- Contractor Expenses
Advertisers
Contractor Services
CUK News
- Streamline Your Retirement with iSIPP: A Solution for Contractor Pensions Sep 1 09:13
- Making the most of pension lump sums: overview for contractors Sep 1 08:36
- Umbrella company tribunal cases are opening up; are your wages subject to unlawful deductions, too? Aug 31 08:38
- Contractors, relabelling 'labour' as 'services' to appear 'fully contracted out' won't dupe IR35 inspectors Aug 31 08:30
- How often does HMRC check tax returns? Aug 30 08:27
- Work-life balance as an IT contractor: 5 top tips from a tech recruiter Aug 30 08:20
- Autumn Statement 2023 tipped to prioritise mental health, in a boost for UK workplaces Aug 29 08:33
- Final reminder for contractors to respond to the umbrella consultation (closing today) Aug 29 08:09
- Top 5 most in demand cyber security contract roles Aug 25 08:38
- Changes to the right to request flexible working are incoming, but how will contractors be affected? Aug 24 08:25
Comment