Penetration Testing mailing list archives
Re: Oracle hash-list?
From: Steven DeFord <security.willworker () gmail com>
Date: Wed, 16 Mar 2005 14:57:01 -0800
On Wed, 16 Mar 2005 20:51:21 +0100, Pieter Danhieux <pdanhieux () easynet be> wrote:
are you aware that the hashes stored in the oracle database not really use a salt (which is bad), but they do use the username as a differentiating factor. This means that the hash output depends on the
Isn't using the username as useful as a salt? Better, even, perhaps, since usernames are longer than your typical few-character salt? Salts just slow down precompiled dictionary attacks, yes? I suppose it would be less useful for the few default accounts, but not for all the other users. -- Steven DeFord steve () singingtree com (925) 596-0426
Current thread:
- Oracle hash-list? Jeroen (Mar 15)
- Re: Oracle hash-list? Pieter Danhieux (Mar 16)
- Re: Oracle hash-list? Steven DeFord (Mar 16)
- Re: Oracle hash-list? Joshua Wright (Mar 21)
- Re: Oracle hash-list? Steven DeFord (Mar 16)
- <Possible follow-ups>
- Re: Oracle hash-list? Jeroen (Mar 16)
- Re: Oracle hash-list? Nexus (Mar 21)
- RE: Oracle hash-list? McAllister, Andrew (Mar 21)
- Re: Oracle hash-list? James Hackett (Mar 21)
- Re: Oracle hash-list? Pieter Danhieux (Mar 16)