Subject Re: [ib-support] Where I find a really good security specific IB/FB group?
Author Dimitry Sibiryakov
On 15 Jul 2002 at 11:50, Ivan Prenosil wrote:

>Right. It means that you can't look at USERS table in ISC4.GDB and use
>hashed password from there,

Well, I can't use any password from ISC4.GDB directly, but if I
have update rights to USERS table, I can replace any unknown password
by a known one. Besides, DES64 is well known. If I can see hashed
passwords in USERS, I can use brute-force methods to find the

> but if you are able to look at password
>that is sent over net, you CAN use it to connect to database, because
>you can simply instruct gds32 that your password is already hashed!

Well, if malefactor has an access to the wire... Using thrid-party
tunneling tools makes sense. But as far as sources of FB are opened
and passwords are short there is no protection from an exhaustive
method. Anyone can examine client library code and fit the password
for a caught traffic.

SY, Dimitry Sibiryakov.