Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Unwrapping PL/SQL"] [Next entry: "Buying books, writing books and uploading slides"]

Dennis has released a paper describing his FPGA cracker

I got an email from Dennis Yurichev at the beginning of last week with an article he has written about his FPGA based password cracker explaining how he created it, what tools are hardware are used and how at a high level the algorithms have been implemented. Dennis's paper titled "How to create FPGA-based Oracle RDBMS cracker that works in average 30-40 times faster [1] than password crackers on Intel Core Duo 2." is available to read and is very interesting.

There has been 2 Comments posted on this article

December 7th, 2009 at 05:34 pm

Pete Finnigan says:

Hi Pete

I blogged already yesterday about this FPGA paper. There is a small but important flaw in the implementation. Passwords starting with a number (alter user alex identified by "1&quotwink are not found. Dennis confirmed this issue.

Details can be found in my blog (



Red-Database-Security GmbH

December 14th, 2009 at 10:48 am

Pete Finnigan says:

Hi Alex,

Thanks for the comment, i was aware of this already when i tested it. At the time as Dennis had limited the character set and also the length it was relevant but sort of a side issue if you were not allowed to use the complete chartacter set to create a password starting with a digit (i.e. encase the password in quotes) then it was true but didnt help a lot.

The upside is most sites dont have passwords using digits as the first character or extended characters above a-z0-9_#$, thanks for the comment though, sorry for the delayed response I have been working away.