Justin Cave wrote:
> Bigus Dickus <no_spam_for_me_thanks_at_yahoo.com> wrote in message news:<3E37E3B9.F8080DEE_at_yahoo.com>...
>
>>For instance, we currently have a hashing algorithm which encrypts
>>passwords and then stores the hash in the password field of the user
>>table. However, the hash can be copied from user to user. For
>>instance, it is possible to create a dummy user, copy the admin's
>>password into the dummy user account, copy the password from your own
>>account into admin, et voila! you are able to login as admin with your
>>own password. Once you are done hacking away at the system, you simply
>>swap the passwords back and delete the dummy account record from the
>>table.
>>
>>It seems to me that there should be something within Oracle which would
>>prevent this.
>
>
> Generally, this problem is solved by salting the password with the
> username before it is hashed. Thus, the user would know that their
> userid/password hashed to something, but would have no idea what
> admin/password would hash to.
>
> Justin Cave
Also seed with the hostname so they can't load it on their PC at home
and let it crank away with a password cracking program. Oracle doesn't
do this, however.
Received on Thu Jan 30 2003 - 19:08:42 CST
