17 Dec
2003
17 Dec
'03
11:17 p.m.
One of the barn-door sized holes in VMS was (still is?) that VMS used the Purdy Password hashing function. I considered using it for the Oracle RDBMS password function, but dropped the idea when I realized that it is possible to invert the hash function. I don't have my notes, but I recall that it only took me a couple days to work it out. The problem is that many passwords hash to the same value. It is actually hard to find out the true password that someone else chose, but easy to find another password that will hash to the same value. The hard part is finding a printable password that maps to the desired value. --Bob Baldwin