Re: Oracle hash-list?

From: Steven DeFord (security.willworker_at_gmail.com)
Date: 03/16/05

  • Next message: Cory.Bys_at_fbol.com: "Re: Identifying MS Sharepoint" 
    Date: Wed, 16 Mar 2005 14:57:01 -0800
To: pen-test@securityfocus.com

    On Wed, 16 Mar 2005 20:51:21 +0100, Pieter Danhieux
    <pdanhieux@easynet.be> wrote:
    > are you aware that the hashes stored in the oracle database not really
    > use a salt (which is bad), but they do use the username as a
    > differentiating factor. This means that the hash output depends on the

    Isn't using the username as useful as a salt? Better, even, perhaps,
    since usernames are longer than your typical few-character salt?
    Salts just slow down precompiled dictionary attacks, yes? I suppose
    it would be less useful for the few default accounts, but not for all
    the other users. 

    -- 
Steven DeFord
steve@singingtree.com
(925) 596-0426
  • Next message: Cory.Bys_at_fbol.com: "Re: Identifying MS Sharepoint"

    Relevant Pages

    • Re: one way permutation?
      ... with a name, get the salt from the row, do the computation ... In this case, you can use symmetric encryption, in a way that I will ... This isn't absolutely guaranteed against collisions, ... The username and password are encrypted, ...
      (sci.crypt)
    • Re: Custom UsernameTokenManager
      ... sender needs to know the salt. ... encrypt it first with server's public key. ... authentication anyway so you can encrypt and sign future messages. ... This salts the pw and username and encrypts/signs everything so no ...
      (microsoft.public.dotnet.framework.webservices.enhancements)
    • Re: Values to use for a salt?
      ... there are definitely situations where salt is not secret. ... Protection of each user's hash code becomes important to prevent ... The problem is that now you must map username to password hash ... The authentication process now looks like this: ...
      (SecProg)
    • Re: Oracle hash-list?
      ... Steven DeFord wrote: ... > Isn't using the username as useful as a salt? ... > since usernames are longer than your typical few-character salt? ...
      (Pen-Test)
    • Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted
      ... And the main advantage is that if you have an account with the same username ... on another database server, it makes attacks twice as hard. ... password hash), they just need to be unique. ... if you're going to add a salt (which requires changing the protocol ...
      (Bugtraq)