Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Encrypted Fields

Re: Encrypted Fields

From: Justin Cave <jocave_at_yahoo.com>
Date: 30 Jan 2003 16:52:46 -0800
Message-ID: <233b7a65.0301301652.716b8f37@posting.google.com> 





Bigus Dickus <no_spam_for_me_thanks_at_yahoo.com> wrote in message news:<3E37E3B9.F8080DEE_at_yahoo.com>...


> 

> For instance, we currently have a hashing algorithm which encrypts

> passwords and then stores the hash in the password field of the user

> table.  However, the hash can be copied from user to user.  For

> instance, it is possible to create a dummy user, copy the admin's

> password into the dummy user account, copy the password from your own

> account into admin, et voila! you are able to login as admin with your

> own password.  Once you are done hacking away at the system, you simply

> swap the passwords back and delete the dummy account record from the

> table.

> 

> It seems to me that there should be something within Oracle which would

> prevent this.




Generally, this problem is solved by salting the password with the
username before it is hashed.  Thus, the user would know that their
userid/password hashed to something, but would have no idea what
admin/password would hash to.



Justin Cave
Received on Thu Jan 30 2003 - 18:52:46 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US