Daniel John Debrunner <[EMAIL PROTECTED]> writes: > Could you explain how having the hash makes a dictionary attack easy?
Cf for example http://en.wikipedia.org/wiki/Dictionary_attack: : However many systems store a hashed version of the password and make it available under certain circumstances, such as a challenge-response authentication exchange between two parties. If an attacker can obtain the hashed password, they can test guessed passwords rapidly, often at a rate of tens or hundreds of millions of guesses per second. : Derby's algorithm is known, so there is no need to call SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.<dummyuser>','<guess>') VALUES SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.<dummyuser>') to check the guess. The attack could proceed off-line. Of course, the dba can get at the hash value anyway by digging into the database files.. Dag
