Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: MySQL Local/Remote FAST Account Password Cracking
From: Jeffrey Walton <noloader () gmail com>
Date: Tue, 4 Dec 2012 14:18:42 -0500

On Mon, Dec 3, 2012 at 1:13 PM, king cope
<isowarez.isowarez.isowarez () googlemail com> wrote:
...
Since the SALT does not change (and this is the weak point) in the
change_user command
it is a convenient way to crack passwords. (When connecting to mysql
in each connection
attempt the SALT is always different and sent out by the server).
...
Somewhat relevant here.... Salt has been recently shown to be a good
thing: "Multi-Instance Security and
its Application to Password-Based Cryptography"
(http://eprint.iacr.org/2012/196.pdf).

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault