db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: [jira] Commented: (DERBY-1387) Add JMX extensions to Derby
Date Fri, 17 Aug 2007 15:17:11 GMT
Dag H. Wanvik wrote:
> Daniel John Debrunner <djd@apache.org> writes:
> 
>> Could you explain how having the hash makes a dictionary attack easy?
> 
> Cf for example http://en.wikipedia.org/wiki/Dictionary_attack:
>   :
>   However many systems store a hashed version of the password and make
>   it available under certain circumstances, such as a
>   challenge-response authentication exchange between two parties. If
>   an attacker can obtain the hashed password, they can test guessed
>   passwords rapidly, often at a rate of tens or hundreds of millions
>   of guesses per second.
>   :
> Derby's algorithm is known, so there is no need to call 
> 
>    SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.<dummyuser>','<guess>')
>    VALUES SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.<dummyuser>')
> 
> to check the guess.  The attack could proceed off-line.

Thanks.

> 
> Of course, the dba can get at the hash value anyway by digging into the database
> files..

The dba *may* be able to get at the hash value. There is no guarantee 
that the dba has read access to the raw database files.

Dan.

Mime
View raw message