Full Disclosure mailing list archives

Re: MySQL Local/Remote FAST Account Password Cracking

From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 4 Dec 2012 14:18:42 -0500

On Mon, Dec 3, 2012 at 1:13 PM, king cope
<isowarez.isowarez.isowarez () googlemail com> wrote:

...
Since the SALT does not change (and this is the weak point) in the
change_user command
it is a convenient way to crack passwords. (When connecting to mysql
in each connection
attempt the SALT is always different and sent out by the server).
...

Somewhat relevant here.... Salt has been recently shown to be a good
thing: "Multi-Instance Security and
its Application to Password-Based Cryptography"
(http://eprint.iacr.org/2012/196.pdf).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

MySQL Local/Remote FAST Account Password Cracking king cope (Dec 03)
- Re: MySQL Local/Remote FAST Account Password Cracking Jeffrey Walton (Dec 04)
- <Possible follow-ups>
- MySQL Local/Remote FAST Account Password Cracking Paul van Bavel (Dec 05)
  - Re: MySQL Local/Remote FAST Account Password Cracking Andres Riancho (Dec 05)
  - Re: MySQL Local/Remote FAST Account Password Cracking Ulises2k (Dec 05)