Re: Help -- Passwords ?????????????????

From: Webmaster <w3master_at_beatrix.philips.nl>
Date: 1996/07/19
Message-ID: <31EFD6AC.69C4_at_beatrix.philips.nl>#1/1


A Ustby wrote:
>
> I'm the DBA at my shop. I have access to SYS id so I can change passwords for
> users. But I have an ORACLE user id that I don't know the password for and
> don't want to change the password. I just want to find out the current
> password for that user. SYS id also allows me to access the table DBA_USERS
> which I can view the fields USER_ID and PASSWORD. The PASSWORD field is
> encrypted. Is there a procedure/program that will decrypt the password.
>
> Thanks for any help.
>
> Art

Sorry for my possibly nasty remark but would you consider a cypher system to be secure when you would have a possibility to decrypt it easily? I would loose my faith...;)
Well, to be more accurate it IS possible to decipher it. The only thing you need is a password generator and the coding algorithm. Because nowadays password encoding algorithms are claimed to be 'one-way' which means that once a string passed the encipher filter there is no way back to the original. But what you can do is generating strings, feed the algorithm with it and compare the output with your enciphered password. In case you find a match you got a valid password. So where is the problem?
TIME will be your problem. Normally the coding algorithm is a complicated (well, not really) mathematical procedure which is CPU-time consuming. But even in case you have a fast machine ... but let's calculate a bit:
imagine the password contains at least 6 characters and includes standard characters (only lowercase, no special char): 26 (a-z)
-> equals: 26^6 = 308.915.776 possibilities Lets assume your algorithm needs .001 seconds (and this is very fast!!!) to generate the enciphered output and compare it to the password: -> Equals 308.916 seconds to go.
Average time to find a matching string would be half of that time ergo 308.916s / 2 =~ 154.458s /3600s ===> 42h to go

42h may sound a short time butI guess most people will agree that this was a best case scenario I described here. I guess it is no problem for you to vary the parameters to see how they affect the figures. (just imagine your password contains upper AND lower case or certain special characters)

Well it is also possible to use a dictionary and compare only words that make sense. (some years ago most passwords matched a real word but people became more cautious...)

Does anybody disagree with my statement?

-- 

Kind regards,

Bernd Buchegger (Webmaster)
Marketing Communications Publishing Services
Philips Semiconductors
Building BEp-42b
P.O. Box 218
5600 MD  Eindhoven
The Netherlands

Fax:            +31 40 2724825
Phone:          +31 40 2724684
Internet:       w3master_at_ehv.sc.philips.com
                Bernd.Buchegge_at_ehv.sc.philips.com

---=> LET'S MAKE THINGS BETTER <=---
Received on Fri Jul 19 1996 - 00:00:00 CEST

Original text of this message