Re: Oracle hash-list?

From: Steven DeFord (security.willworker@gmail.com)
Date: Wed Mar 16 2005 - 17:57:01 EST

• Next message: Cory.Bys@fbol.com: "Re: Identifying MS Sharepoint"
• Previous message: sf@securax.dk: "Sap proxy"
• In reply to: Pieter Danhieux: "Re: Oracle hash-list?"
• Next in thread: Joshua Wright: "Re: Oracle hash-list?"
• Reply: Joshua Wright: "Re: Oracle hash-list?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, 16 Mar 2005 20:51:21 +0100, Pieter Danhieux
<pdanhieux@easynet.be> wrote:
> are you aware that the hashes stored in the oracle database not really
> use a salt (which is bad), but they do use the username as a
> differentiating factor. This means that the hash output depends on the

Isn't using the username as useful as a salt? Better, even, perhaps,
since usernames are longer than your typical few-character salt?
Salts just slow down precompiled dictionary attacks, yes? I suppose
it would be less useful for the few default accounts, but not for all
the other users.

-- 
Steven DeFord
steve@singingtree.com
(925) 596-0426

• Next message: Cory.Bys@fbol.com: "Re: Identifying MS Sharepoint"
• Previous message: sf@securax.dk: "Sap proxy"
• In reply to: Pieter Danhieux: "Re: Oracle hash-list?"
• Next in thread: Joshua Wright: "Re: Oracle hash-list?"
• Reply: Joshua Wright: "Re: Oracle hash-list?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:18 EDT