Re: Oracle password encryption algorithm?SKIP

In article <1993Jul5.135313.1_at_hadassah.bitnet>, gur_at_hadassah.bitnet writes:
>In article <1993Jul2.213313.16282_at_exlog.com>, lparsons_at_exlog.com (Lee Parsons) writes:
>> In article <1993Jul1.134033.1_at_cbr.hhcs.gov.au> pihlab_at_cbr.hhcs.gov.au writes:
>>>In article <1993Jun30.154324.1_at_cissys>, trahan_at_cissys.read.tasc.com (Dave Trahan) writes:
>>>>
>>>> Does anyone know what algorithm Oracle uses to encrypt user passwords?
>>>
>>>Hopefully, only Oracle and it's well guarded. If everyone knew the algorithm
>>>then there would be no point in having a password because the encrypted value
>>>is stored (visible) in the database and you could run a program to crack
>>>anyone's account.
> [. . .]
>
>Just compare the situation with the VMS passwords.
>Not only the algorithm is known, but there is even a system service to
>encrypt a string using it. However the users authorization file is
>inaccessible to unprivileged mortals.

The primary strength of the VMS password encryption scheme isn't that the ciphertext is protected from non-privileged users.

The primary strength is that the passwords are encrypted with a one-way function; once the data (the password) has been encrypted, it cannot be decrypted into its original form without a brute-force attack. The fact that the file containing the encrypted passwords is unavailable to non-privileged users only prevents a non-privileged user from performing a brute-force attack on the encrypted data.

-dan

(who knows only a little about most things, and even less about cryptography).

-Dan Wing, dwing_at_uh01.colorado.edu Received on Wed Jul 07 1993 - 01:02:12 CEST