Full Disclosure mailing list archives
Re: MySQL Local/Remote FAST Account Password Cracking
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 4 Dec 2012 14:18:42 -0500
On Mon, Dec 3, 2012 at 1:13 PM, king cope <isowarez.isowarez.isowarez () googlemail com> wrote:
... Since the SALT does not change (and this is the weak point) in the change_user command it is a convenient way to crack passwords. (When connecting to mysql in each connection attempt the SALT is always different and sent out by the server). ...
Somewhat relevant here.... Salt has been recently shown to be a good thing: "Multi-Instance Security and its Application to Password-Based Cryptography" (http://eprint.iacr.org/2012/196.pdf). Jeff _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MySQL Local/Remote FAST Account Password Cracking king cope (Dec 03)
- Re: MySQL Local/Remote FAST Account Password Cracking Jeffrey Walton (Dec 04)
- <Possible follow-ups>
- MySQL Local/Remote FAST Account Password Cracking Paul van Bavel (Dec 05)
- Re: MySQL Local/Remote FAST Account Password Cracking Andres Riancho (Dec 05)
- Re: MySQL Local/Remote FAST Account Password Cracking Ulises2k (Dec 05)