Re: Help -- Passwords ?????????????????
Date: 1996/07/19
Message-ID: <31EFD6AC.69C4_at_beatrix.philips.nl>#1/1
A Ustby wrote:
>
> I'm the DBA at my shop. I have access to SYS id so I can change passwords for
> users. But I have an ORACLE user id that I don't know the password for and
> don't want to change the password. I just want to find out the current
> password for that user. SYS id also allows me to access the table DBA_USERS
> which I can view the fields USER_ID and PASSWORD. The PASSWORD field is
> encrypted. Is there a procedure/program that will decrypt the password.
>
> Thanks for any help.
>
> Art
Sorry for my possibly nasty remark but would you consider a cypher
system to be secure when you would have a possibility to decrypt it
easily? I would loose my faith...;)
Well, to be more accurate it IS possible to decipher it. The only thing
you need is a password generator and the coding algorithm. Because
nowadays password encoding algorithms are claimed to be 'one-way' which
means that once a string passed the encipher filter there is no way back
to the original. But what you can do is generating strings, feed the
algorithm with it and compare the output with your enciphered password.
In case you find a match you got a valid password. So where is the
problem?
TIME will be your problem. Normally the coding algorithm is a
complicated (well, not really) mathematical procedure which is CPU-time
consuming. But even in case you have a fast machine ... but let's
calculate a bit:
imagine the password contains at least 6 characters
and includes standard characters (only lowercase, no special char): 26
(a-z)
-> equals: 26^6 = 308.915.776 possibilities
Lets assume your algorithm needs .001 seconds (and this is very fast!!!)
to generate the enciphered output and compare it to the password:
-> Equals 308.916 seconds to go.
Average time to find a matching string would be half of that time
ergo 308.916s / 2 =~ 154.458s /3600s ===> 42h to go
42h may sound a short time butI guess most people will agree that this was a best case scenario I described here. I guess it is no problem for you to vary the parameters to see how they affect the figures. (just imagine your password contains upper AND lower case or certain special characters)
Well it is also possible to use a dictionary and compare only words that make sense. (some years ago most passwords matched a real word but people became more cautious...)
Does anybody disagree with my statement?
-- Kind regards, Bernd Buchegger (Webmaster) Marketing Communications Publishing Services Philips Semiconductors Building BEp-42b P.O. Box 218 5600 MD Eindhoven The Netherlands Fax: +31 40 2724825 Phone: +31 40 2724684 Internet: w3master_at_ehv.sc.philips.com Bernd.Buchegge_at_ehv.sc.philips.com ---=> LET'S MAKE THINGS BETTER <=---Received on Fri Jul 19 1996 - 00:00:00 CEST