Full Disclosure mailing list archives

Re: mysql password cracking

From: Anders Langworthy <hades () psilanthropy org>
Date: Fri, 08 Oct 2004 16:05:00 -0500

David Hane wrote:

I'm wondering how dangerous it is to allow a user on a
mysql db to view the grants for another user. Could
they take the encrypted password data and possibly
crack it? If they can, how easy is it?

If a user can read the password data, it should be possible to do adictionary-type attack against the hashed passwords. John the Ripperhas a plugin for MySQL passwords. The difficulty (time) is dependentprimarily on the weakness of the passwords used.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

mysql password cracking David Hane (Oct 08)
- Re: mysql password cracking Anders Langworthy (Oct 08)
- Re: mysql password cracking ppatters (Oct 09)
- <Possible follow-ups>
- Re: mysql password cracking Willem Koenings (Oct 09)
  - Re: mysql password cracking Chris Anley (Oct 11)