Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: password

RE: password

From: From <l-oracle_at_hypno.iheavy.com>
Date: Sat, 21 Dec 2002 15:38:38 -0800
Message-ID: <F001.00520DA4.20021221153838@fatcity.com> 






> why isn't there a program available that can reverse engineer the code used

> to encrypt passwords...  

> 

> if username XYZ always has password (encrypted) CBA, you think that it would

> be easy to figure out the pattern...   once you have the pattern it's easy

> to go back and forth with the password and the encrypted password.   




Nick:



Password encryption is a one-way algorithm.  I'm no math genius, but these 
guys know how to create math such that you can encrypt a string of text, 
but *CAN'T* reverse the process.  This is an age-old method.  In fact for 
years, the unix password file was plainly readable by anyone on the 
system.  In those days, computers weren't fast enough to run dictionary 
cracker programs.  When they became fast enough, people would just go 
through a dictionary file, and encrypt each word, and simple permutations 
thereof.  When you found an encrypted string which matched your string 
from the password file, you had a match.  Then shadow password files were 
invented.



Anyway, security in Oracle is implemented in somewhat the same way.  And 
just as in the Unix world, if you have the encrypted passwords, you can 
run a dictionary hack like John the Ripper (http://www.openwall.com/john/) 
and find passwords which are based on dictionary words.



This is an endless game of cat and mouse.  Users can't remember complex 
strings like "$rs^&tvzH(9", so they either use passwords they can 
remember, which is insecure, or write them on a post-it.  Some people have 
devised small electronic versions of a post-it with a password, some 
attached to a keychain, or a program for the palm pilot.  But the same 
problem remains, they're only as good as the password that secures all the 
others.  



If you want to go further to the cutting edge, you run into the new field 
of biometrics.  Bruce Schneir has a lot to say about this: 
http://www.counterpane.com/crypto-gram-9808.html



A Japanese researcher named Tsutomu Matsumoto managed to hack fingerprint 
readers 80% of the time with Jelly Babies!!!
http://www.zdnet.com.au/newstech/security/story/0,2000024985,20265318-1,00.htm
http://www.counterpane.com/crypto-gram-0205.html#5



I actually requested a copy of this paper through the mail.  It was *VERY* 
interesting.  



So don't expect these problems to be solved anytime soon.  :-)



HTH,



Sean



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: From
  INET: l-oracle_at_hypno.iheavy.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Sat Dec 21 2002 - 17:38:38 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US