db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dag.Wan...@Sun.COM (Dag H. Wanvik)
Subject Re: [jira] Commented: (DERBY-1387) Add JMX extensions to Derby
Date Fri, 17 Aug 2007 14:44:39 GMT
Daniel John Debrunner <djd@apache.org> writes:

> Could you explain how having the hash makes a dictionary attack easy?

Cf for example http://en.wikipedia.org/wiki/Dictionary_attack:
  :
  However many systems store a hashed version of the password and make
  it available under certain circumstances, such as a
  challenge-response authentication exchange between two parties. If
  an attacker can obtain the hashed password, they can test guessed
  passwords rapidly, often at a rate of tens or hundreds of millions
  of guesses per second.
  :
Derby's algorithm is known, so there is no need to call 

   SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.<dummyuser>','<guess>')
   VALUES SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.<dummyuser>')

to check the guess.  The attack could proceed off-line.

Of course, the dba can get at the hash value anyway by digging into the database
files..

Dag

Mime
View raw message