Re: Pete Finnigan's Oracle database password checker

From: Yong Huang <>
Date: Sat, 11 Oct 2008 06:25:02 -0700 (PDT)
Message-ID: <>

> the slow part of the plsql code is the Brute Force attack. That can hardly
> compete with real password crackers written in C(++). You can reduce the
> pain of doing a brute force attack by changing the line with
> *passlen:=4*; -- need to restrict to 4 so that it takes around 35 secs
> into
> *passlen:=2*; -- need to restrict to 2 so that it takes around 1 sec
> you can extend the dictionary list with your own words as pointed out by
> others.

In the real world, users' passwords rarely are <=4 chars long. And even with crackers written in C or C++, brute force check takes more than a few weeks on a typical PC nowadays, if the password is longer than 8 characters. The problem with all password crackers out there is that none accept user-defined regular expressions as patterns of possible passwords (most allow you to specify a predefined set of chars, letters only, letters and digits, etc). For instance, I know my users will only start a password with a letter, not digit or non-alphanumeric char, and the only non-alphanumeric chars are such and such (no `, ~, ^, etc.). I can't do that. If I could, the runtime of the brute force password check would be much shorter.

It's not hard to implement this logic in the program. Pete and a few others are aware of this shortcoming.

Yong Huang       

Received on Sat Oct 11 2008 - 08:25:02 CDT

Original text of this message