Oracle repeating Microsoft's mistake

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Sep 29, 2007.

  1. Oracle 11g introduces a new password-hashing algorithm based on SHA-1
    <http://www.schneier.com/blog/archives/2007/09/oracle_11g_pass.html>,
    <http://www.petefinnigan.com/weblog/archives/00001097.htm>,
    <http://www.phenoelit.net/lablog/oracle.sl>. All very well, except they
    still store passwords encrypted with the older, less secure algorithm as
    well. Granted they do this for backward compatibility, but it completely
    defeats the point of using the more secure algorithm.

    This is exactly the same mistake Microsoft made years ago with its
    password-hashing system. Will closed-source companies never learn?
    Lawrence D'Oliveiro, Sep 29, 2007
    #1
    1. Advertising

  2. Lawrence D'Oliveiro

    Matty F Guest

    On Sep 29, 8:22 pm, Lawrence D'Oliveiro <l...@geek-
    central.gen.new_zealand> wrote:
    > Oracle 11g introduces a new password-hashing algorithm based on SHA-1
    > <http://www.schneier.com/blog/archives/2007/09/oracle_11g_pass.html>,
    > <http://www.petefinnigan.com/weblog/archives/00001097.htm>,
    > <http://www.phenoelit.net/lablog/oracle.sl>. All very well, except they
    > still store passwords encrypted with the older, less secure algorithm as
    > well. Granted they do this for backward compatibility, but it completely
    > defeats the point of using the more secure algorithm.
    >
    > This is exactly the same mistake Microsoft made years ago with its
    > password-hashing system. Will closed-source companies never learn?


    At least it's encrypted. At one of NZ's largest computer companies a
    colleague was happy with the IBM supplied sign-on program. When he
    typed his quite long password I noticed the first two letters of it.
    In minutes I had written a program to search the entire manframe
    memory for those two letters, and instantly found his password
    unencrypted lying in a cache.
    Matty F, Sep 29, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. no way

    a way to stop repeating viruses enjoy

    no way, Jul 31, 2004, in forum: Computer Support
    Replies:
    10
    Views:
    707
    PuppyKatt
    Aug 5, 2004
  2. Morph
    Replies:
    4
    Views:
    957
    Morph
    Jan 18, 2005
  3. geishaslave

    HP Pavilion DV1000 Repeating Equal Sign Problem.

    geishaslave, Jun 7, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    4,049
    mushfiqur
    Nov 12, 2006
  4. Rob

    Wireless repeating/boosting

    Rob, May 7, 2006, in forum: Wireless Networking
    Replies:
    6
    Views:
    6,254
  5. fkissam
    Replies:
    0
    Views:
    398
    fkissam
    Feb 18, 2004
Loading...

Share This Page