My guess that in most systems password is stored in plain text in database.
-
-
On Skaro we overcame this problem quite easily. My password is exterminate1, the Supreme Dalek's is exterminate2, and so on.Originally posted by SysmanComment
-
yes, in a table named passwords in a database name db, located in the root of C:\Originally posted by AtW
HTHComment
-
That's right. It is password protected but login name 'admin' (password 'admin') will let you in.Originally posted by DimPrawnComment
-
Mmmmm. Most talented developers are all rounders and don't box themselves into 'web' or 'Windows' or 'middleware' or 'database' labels.Originally posted by Diestl
When you're working on a 24 hour, real time, global trading system, you'll find that, "I'm a web developer" won't cut it.Comment
-
I haven't seen that in years.Originally posted by AtW
Here's some info on Oracle passwords:
http://www.red-database-security.com...passwords.html
Oracle brute force attacks / Oracle Password Decryption
It is not possible to decrypt a hashstring but (with) the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)
10 seconds to calculate all 5-ascii-character-combinations
5 minutes to calculate all 6-ascii-character-combinations
2 hours to calculate all 7-ascii-character-combinations
2,1 days to calculate all 8-ascii-character-combinations
57 days to calculate all 9-ascii-character-combinations
4 years to calculate all 10-ascii-character-combinations
You should always use strong and long passwords to avoid brute force or dictionary attacks.Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
-
This is how database itself stores user passwords - which is certainly reasonably secure, where as I am talking about developers who in my view would more often than not choose to store password in plain text in their own designed tables.Comment
-
Given the available information on the subject, they have no excuse really.Originally posted by AtW
Oh, since you mentioned MD5 and SHA-1, here's a snippet for you
http://dev.mysql.com/doc/refman/5.0/...functions.html
"Note: Exploits for the MD5 and SHA-1 algorithms have become known. You may wish to consider using one of the other encryption functions described in this section instead."Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
-
Indeed, there is really no excuse. As for exploits of MD5 and SHA1 - if you read in details they are pretty much theoretical, this kind of attack can only be mounted by Govt entities and those guys would prefer to use simple methods - a few broken fingers and person in question will give all passwords they want.Comment
-
Ah yes, "social engineering"Originally posted by AtW
Behold the warranty -- the bold print giveth and the fine print taketh away.Comment
Comment