We probably do disagree on what feasible means. If you've ever studied computer security, you'll know that the only secure computer is the one that is turned off, unplugged and stored in a safe somewhere. In reality there is no such thing as totally secure. There is only secure enough. It's all a matter of how valuable is your data vs. how much resources it will take for the attacker to get at it. Now, I'm sure that if I needed to get at something on your server, I could brute force the root password in maybe 10 years or so. There are easier ways of getting at that data. For example social engineering.
The point is, brute force attacks are not feasible remotely if the password is strong enough. Have you ever tried to crack a windows/linux password locally? For a secure windows password, it would take more then a month to crack (perhaps closer to infinity if you start using special characters). Of course if you know the hash, you can break the password using rainbow tables. But when you're doing the cracking remotely, it is much, much slower due to the fact that you have to try every authentication attempt over the network. It is just not feasible to crack a password remotely, unless it's a very simple password based on a dictionary word. Sniffing the password is a totally different matter, and if you can position yourself in such a way that traffic from the client to the server flows through you, you can probably get the password quite easily (unless the software uses some kind of encryption). Russ -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 16, 2005 1:16 PM To: CF-Talk Subject: RE: DB connection question > Brute force attacks are not feasible remotely, unless the password > is extremely weak. This is simply not true, although we may disagree on what "feasible" means. > And if your data is that important, you wouldn't be having it > on a shared server in the first place. Probably not. Again, though, the original question was whether this is secure. The answer is still "no". For most shared sites, security may not be a concern, and that's ok, but no one should think that it is secure when it's not. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:228423 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
