Hey David,
Re: allowing users to see other user's hashes - it's dangerous; don't do
it if you don't have to.
To precis what's in the paper (which I wrote btw), there's a few
interesting points about mysql password hashes:
1) In versions prior to 4.1, the password hash can be used to
authentica
hi,
> I'm wondering how dangerous it is to allow a user on a
> mysql db to view the grants for another user. Could
> they take the encrypted password data and possibly
> crack it? If they can, how easy is it?
on certain condition it's quite easy, if you have
a hash:
test.exe 57510426775c5b0
On Fri, 2004-10-08 at 16:03, David Hane wrote:
> I'm wondering how dangerous it is to allow a user on a
> mysql db to view the grants for another user. Could
> they take the encrypted password data and possibly
> crack it? If they can, how easy is it?
I periodically export the mysql database with
David Hane wrote:
I'm wondering how dangerous it is to allow a user on a
mysql db to view the grants for another user. Could
they take the encrypted password data and possibly
crack it? If they can, how easy is it?
If a user can read the password data, it should be possible to do a
dictionary-type
I'm wondering how dangerous it is to allow a user on a
mysql db to view the grants for another user. Could
they take the encrypted password data and possibly
crack it? If they can, how easy is it?
___
Full-Disclosure - We believe in it.
Charter: http://