Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: mysql password cracking
From: Anders Langworthy <hades () psilanthropy org>
Date: Fri, 08 Oct 2004 16:05:00 -0500

David Hane wrote:
I'm wondering how dangerous it is to allow a user on a
mysql db to view the grants for another user. Could
they take the encrypted password data and possibly
crack it? If they can, how easy is it?

If a user can read the password data, it should be possible to do a dictionary-type attack against the hashed passwords. John the Ripper has a plugin for MySQL passwords. The difficulty (time) is dependent primarily on the weakness of the passwords used.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]