Oracle-L: RE: password

From: Paul Heely <pheely_at_progeny.net>
Date: Tue, 17 Dec 2002 13:19:21 -0800
Message-ID: <F001.0051BE97.20021217131921@fatcity.com>

UGH! Should have been 26^6 possible passwords NOT 6^26!

So... Ignore my previous math. Have to go now..... Hanging head in mathematical shame.

Correct times for all uppercase: 3 seconds

Correct times for upper and lower: 3.2 minutes

Now if I can only find the machine to do 100,000,000 attacks/s.

--

Paul

-----Original Message-----

Sent: Tuesday, December 17, 2002 3:20 PM To: Multiple recipients of list ORACLE-L

I used to work as a Unix security admin and would frequently run password "cracking" programs against our password files.

We found that the really weak passwords were found in the first 5 minutes, ones derived from info in the gecos fields. Better ones, using number/letter substitutions in common dictionary words, would be found in the next day or so. We stopped running after 48 hours. We never found that brute force iteration was worthwhile.

Consider the following if you are thinking of using a totally brute force approach and trying all possible combinations. I needed a break this afternoon...

Assumptions: All passwords are 6 characters long and all characters are upper case. There are 6^26=170,581,728,179,578,208,256 possible passwords If you can attack 100,000,000 passwords per second you will need
(6^26)/100,000,000 = 1,705,817,281,795 seconds. 1,705,817,281,795s * 1h/3600s = 473,838,133 hours 473,838,133,832h * 1d/24h = 19,743,255 days 19,743,255,576d * 1y/365d = 54,091 years

If we add the condition that passwords can be upper and lower case then there are 6^26 possible passwords and the time to attack all possible combinations becomes: 9.226E24 years.

Back to work now :)
--

Paul

-----Original Message-----

Waleed
Sent: Tuesday, December 17, 2002 2:16 PM To: Multiple recipients of list ORACLE-L

It's one way encryption. So you can loop on all the permutation for AAAAAA to ZZZZZZ and apply the encryption code and compare the output to the dictionary content. If it matches, then you got the password.

I thought about doing this five years ago, but decided against it.

I thought I will be under the hackers, virus developers groups.

Regards,
Waleed

-----Original Message-----

Sent: Tuesday, December 17, 2002 12:04 PM To: Multiple recipients of list ORACLE-L

How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it.

Jared

Paulo Gomes <PGomes_at_Datinfor.pt>
Sent by: root_at_fatcity.com
12/17/2002 04:38 AM
Please respond to ORACLE-L

To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>

        cc: 
        Subject:        RE: password

nope u can get the encripted password from the oracle dictionáry
-----Original Message-----

Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L

Check the post-it note on their monitor?

:)
-----Original Message-----

Sent: 17 December 2002 10:55
To: Multiple recipients of list ORACLE-L

he can't but he can change it to a new one and then put the old back on
-----Original Message-----

Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L

how can a dba see the password of a user.

The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official
ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: faisalahmad4u_at_hotmail.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services
--------------------------------------------------------------------- To

REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author:
INET: Jared.Still_at_radisys.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services


---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Khedr, Waleed
INET: Waleed.Khedr_at_FMR.COM

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services


---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Paul Heely
INET: pheely_at_progeny.net

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services


---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Paul Heely
INET: pheely_at_progeny.net

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services


---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message