Re: Oracle Password Encryption Algorithm

In article <33282EA5.1041_at_msfc.nasa.gov>, Chris Urban <christopher.urban_at_msfc.nasa.gov> wrote:
>Rob van Lopik wrote:
>
>> > If the alogorithm were published, it would kind of defeat the purpose
>> > of having a password now, wouldn't it???
>>
>> No, it doesn't, because it is supposed to be one-way only. Your password
>> gets hashed into something that is stored in the database, but the
>> algorithm cannot be run the other way around, that is, you cannot produce
>> the clear password from the rubbish that you will find in DBA_USERS.
>Give me one week, an encoded password, and a 'one way' algorithm and I
>guarantee you I can come up with the original password. This would pose a
>major security risk for Oracle to publish. Lets be realistic.

not to split hairs or anything, but if the "one-way" algorithm had the property of allowing more than one 'cleartext' password to map into the same 'ciphertext' password, you wouldn't necessarily be able to tell if you had the original password (the one you came up with would work, of course, but it might not be the original password).

in addition, in regard to the "major security risk" for Oracle, it is unwise to rely on the secrecy of an algorithm to protect security (and why nearly all encryption algorithms are made available for scrutiny). Received on Thu Mar 13 1997 - 00:00:00 CST