Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: Encrypted Fields
Bigus Dickus <no_spam_for_me_thanks_at_yahoo.com> wrote in message news:<3E37E3B9.F8080DEE_at_yahoo.com>...
>
> For instance, we currently have a hashing algorithm which encrypts
> passwords and then stores the hash in the password field of the user
> table. However, the hash can be copied from user to user. For
> instance, it is possible to create a dummy user, copy the admin's
> password into the dummy user account, copy the password from your own
> account into admin, et voila! you are able to login as admin with your
> own password. Once you are done hacking away at the system, you simply
> swap the passwords back and delete the dummy account record from the
> table.
>
> It seems to me that there should be something within Oracle which would
> prevent this.
Generally, this problem is solved by salting the password with the username before it is hashed. Thus, the user would know that their userid/password hashed to something, but would have no idea what admin/password would hash to.
Justin Cave Received on Thu Jan 30 2003 - 18:52:46 CST