Databases Reference
In-Depth Information
Table 8-1.
Sample Rainbow Table
Password
Hash
Tiger
ac3xad99d99aa
Leopard
Ij879asdc0dack
Lion
ada99dadchadd
kitten
ac3xad99d99aa
Dog
psadf999adcvde
With this rainbow table a hacker could quickly determine that ac3xad99d99aa corresponds to both
tiger and kitten (and possibly hundreds of others). The hacker could use either tiger or kitten to log into
the system from which the encrypted passwords had been stolen, even if neither tiger nor kitten were
the user's actual password. The key is that they produce the same hash as the real password. Both tiger
and kitten could be used on any other system that uses the same algorithm but, unless tiger or kitten
were the actual password, they would not work on a system with a different algorithm. This is a key point
about passwords. Rainbow tables tend to have precomputed values for
common
strings. If you use an
unusual password, a rainbow table will not find your password, though it may find another password
with the same hash. This will allow the hacker access to the initially hacked system, but not to another
system utilizing a different hash algorithm. Returning to our example, assume John Doe (username =
jdoe) has an actual password of tlig4rkitU8 and that this password has the same hash as tiger and kitten
in jdoe's web content management system. If the web content management system is compromised, a
hacker will determine that jdoe's password is likely tiger or kitten, and will be able to log in to the system
with the username jdoe and either password (tiger or kitten). If John uses the same username and
password for email (jdoe/tlig4rkitU8), and the email system uses a different algorithm, the hacker will
not be able to log into John's email. Of course, if the email system uses the same algorithm, both kitten
and tiger will work. Clearly, a strong password is preferable.
■
Note
Most hash algorithms have a seed (or salt) value. Changing the seed value changes the resulting hash.
While this applies to virtually any system, it is clear that APEX applications must consider how best
to protect passwords. Passwords should always be encrypted. Whenever a workspace is created with
demonstration objects, APEX creates the function
custom hash
.
create or replace function custom hash (p username in varchar2, p password in varchar2)
return varchar2
is
l password varchar2(4000);
l salt varchar2(4000) := 'S5X18087B0GXG7AN65M5UXPLFPS5DB';
begin
