Dag H. Wanvik wrote:
Daniel John Debrunner <[EMAIL PROTECTED]> writes:
Could you explain how having the hash makes a dictionary attack easy?
Cf for example http://en.wikipedia.org/wiki/Dictionary_attack:
:
However many systems store a hashed version of the password and make
it available under certain circumstances, such as a
challenge-response authentication exchange between two parties. If
an attacker can obtain the hashed password, they can test guessed
passwords rapidly, often at a rate of tens or hundreds of millions
of guesses per second.
:
Derby's algorithm is known, so there is no need to call
SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.<dummyuser>','<guess>')
VALUES SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.<dummyuser>')
to check the guess. The attack could proceed off-line.
Thanks.
Of course, the dba can get at the hash value anyway by digging into the database
files..
The dba *may* be able to get at the hash value. There is no guarantee
that the dba has read access to the raw database files.
Dan.
