> why isn't there a program available that can reverse engineer the code used > to encrypt passwords... > > if username XYZ always has password (encrypted) CBA, you think that it would > be easy to figure out the pattern... once you have the pattern it's easy > to go back and forth with the password and the encrypted password.
Nick: Password encryption is a one-way algorithm. I'm no math genius, but these guys know how to create math such that you can encrypt a string of text, but *CAN'T* reverse the process. This is an age-old method. In fact for years, the unix password file was plainly readable by anyone on the system. In those days, computers weren't fast enough to run dictionary cracker programs. When they became fast enough, people would just go through a dictionary file, and encrypt each word, and simple permutations thereof. When you found an encrypted string which matched your string from the password file, you had a match. Then shadow password files were invented. Anyway, security in Oracle is implemented in somewhat the same way. And just as in the Unix world, if you have the encrypted passwords, you can run a dictionary hack like John the Ripper (http://www.openwall.com/john/) and find passwords which are based on dictionary words. This is an endless game of cat and mouse. Users can't remember complex strings like "$rs^&tvzH(9", so they either use passwords they can remember, which is insecure, or write them on a post-it. Some people have devised small electronic versions of a post-it with a password, some attached to a keychain, or a program for the palm pilot. But the same problem remains, they're only as good as the password that secures all the others. If you want to go further to the cutting edge, you run into the new field of biometrics. Bruce Schneir has a lot to say about this: http://www.counterpane.com/crypto-gram-9808.html A Japanese researcher named Tsutomu Matsumoto managed to hack fingerprint readers 80% of the time with Jelly Babies!!! http://www.zdnet.com.au/newstech/security/story/0,2000024985,20265318-1,00.htm http://www.counterpane.com/crypto-gram-0205.html#5 I actually requested a copy of this paper through the mail. It was *VERY* interesting. So don't expect these problems to be solved anytime soon. :-) HTH, Sean -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: From INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
