Schneier on Security: Oracle's Password Hashing:
Here's a paper on Oracle's password hashing algorithm. It isn't very good.
In this paper the authors examine the mechanism used in Oracle databases for protecting users' passwords. We review the algorithm used for generating password hashes, and show that the current mechanism presents a number of weaknesses, making it straightforward for an attacker with limited resources to recover a user's plaintext password from the hashed value. We also describe how to implement a password recovery tool using off-the-shelf software. We conclude by discussing some possible attack vectors and recommendations to mitigate this risk.
(Via Schneier on Security.)
No comments:
Post a Comment