db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: [jira] Commented: (DERBY-1387) Add JMX extensions to Derby
Date Fri, 17 Aug 2007 14:18:47 GMT
Dag H. Wanvik wrote:
> "Daniel John Debrunner (JIRA)" <jira@apache.org> writes:
> 
>>     [ https://issues.apache.org/jira/browse/DERBY-1387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12520325
] 
>>
>> Daniel John Debrunner commented on DERBY-1387:
>> ----------------------------------------------
>>
>> Rick> So if the DBA uses system procedures to read the passwords, hashed values
come back. 
>>
>> I don't think so. I think NULL will be returned for a password
>> lookup using the get database property method.
> 
> I tried this and it does seem to return the hash value, but maybe I
> slipped on something?

No, I misremembered. It's the encryption password that has special code 
to ensure it is not returned. Sorry.


> So, without sql authorization enabled it seems:
> 
> a) the user can change his own password (Rick in example), and 
> b) hash value will be returned, also to dbo, making dictionary attack easy.

Could you explain how having the hash makes a dictionary attack easy?

Thanks,
Dan.

Mime
View raw message