On 1/25/06, Daniel John Debrunner <[EMAIL PROTECTED]> wrote: > Francois Orsini (JIRA) wrote: > > [ > > http://issues.apache.org/jira/browse/DERBY-866?page=comments#action_12364050 > > ] > > > > Francois Orsini commented on DERBY-866: > > --------------------------------------- > > > > > >>Daniel John Debrunner commented on DERBY-866: > >>--------------------------------------------- > >> > >>What's the purpose of returning the password column in the table/vti > >>SYSUSERS? > >> > > > > Password won't be clearly readable, only the base64 representation of a > > already hashed password > > - no risk really > > I think it's a huge risk. You are giving crackers information to start > an attack. Every encryption scheme is breakable, it's just a matter of > time/cpu usage.
Fair enough - in that case only a user with an 'Admin' role or with 'CREATE USER' privilege would have been able to access the password base64-single-hashed column, *not* everyone...But I agree it is still better not to show it at all - what we could do is only show the content IF the authentication scheme/style is different than built-in- or like you say we don't display the column at all. Thanks for additional feedback Dan. > > Dan. > >
