Dag H. Wanvik wrote:
"Daniel John Debrunner (JIRA)" <[EMAIL PROTECTED]> writes:
[ https://issues.apache.org/jira/browse/DERBY-1387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12520325 ]
Daniel John Debrunner commented on DERBY-1387:
----------------------------------------------
Rick> So if the DBA uses system procedures to read the passwords, hashed values come back.
I don't think so. I think NULL will be returned for a password
lookup using the get database property method.
I tried this and it does seem to return the hash value, but maybe I
slipped on something?
No, I misremembered. It's the encryption password that has special code
to ensure it is not returned. Sorry.
So, without sql authorization enabled it seems:
a) the user can change his own password (Rick in example), and
b) hash value will be returned, also to dbo, making dictionary attack easy.
Could you explain how having the hash makes a dictionary attack easy?
Thanks,
Dan.
