| Subject | Re: [ib-support] Where I find a really good security specific IB/FB group? |
|---|---|
| Author | Dimitry Sibiryakov |
| Post date | 2002-07-16T03:34:56Z |
On 15 Jul 2002 at 11:50, Ivan Prenosil wrote:
have update rights to USERS table, I can replace any unknown password
by a known one. Besides, DES64 is well known. If I can see hashed
passwords in USERS, I can use brute-force methods to find the
password.
tunneling tools makes sense. But as far as sources of FB are opened
and passwords are short there is no protection from an exhaustive
method. Anyone can examine client library code and fit the password
for a caught traffic.
SY, Dimitry Sibiryakov.
>Right. It means that you can't look at USERS table in ISC4.GDB and useWell, I can't use any password from ISC4.GDB directly, but if I
>hashed password from there,
have update rights to USERS table, I can replace any unknown password
by a known one. Besides, DES64 is well known. If I can see hashed
passwords in USERS, I can use brute-force methods to find the
password.
> but if you are able to look at passwordWell, if malefactor has an access to the wire... Using thrid-party
>that is sent over net, you CAN use it to connect to database, because
>you can simply instruct gds32 that your password is already hashed!
tunneling tools makes sense. But as far as sources of FB are opened
and passwords are short there is no protection from an exhaustive
method. Anyone can examine client library code and fit the password
for a caught traffic.
SY, Dimitry Sibiryakov.