← Back to context

Comment by thayne

2 months ago

> Just knowing the structure is not far off from knowing the max entropy a password may hold

Not if the password is hashed, as it should be. Unless the schema somehow indicates that it uses a hash algorithm such as bcrypt that has a maximum password length. And even then, if they pre-hash the password, the password itself could have more entropy than that. And if there is a maximum password length, then you can probably figure that out via other means, like it being listed in the requirements when you set your password. It does tell you the size of the hash of the password, but if the maximum entropy is sufficiently high, as it should be, then it doesn't really matter; it would still be impractical to brute force.

> there is no company worth its salt that would share DB schema

So you are saying that every company with a self-hosted or open source product that uses a database isn't worth their salt? If your DB is running on a customer's infrastructure, that customer will by necessity have access to the schema. And likewise if the source code for a product is publicly available it is trivial to determine the schema.

1 comment

thayne

Reply
mcnichol  2 months ago

I'm not arguing the complexity of hacking a password, I'm familiar. So instead of responding with rainbow tables or how knowing the schema informs you the location of salts for the salted hash (which is the actual proper way), I'll just point to an example.

Look at how RSA is implemented. Look at the intentional obscurity of S tables and lack of detailed information.

There is a reason information is withheld. DB schema is just that, information that increases increases the threat.

And running a DB on someone's infrastructure doesn't necessarily give you access. You need to read up on AuthN and AuthZ.

If you listed an open source example I'd take the time to poke holes in your strawman argument but you honestly just need to take a step back and think about what you are really arguing.

Do you really think not having the schema is as inconsequential as having the schema when attacking something? I mean what is the first step most folks do in reverse engineering? I honestly can't believe I'm having to say this.