Hack This!

In honor of Cyber Security Awareness Month, here is a challenge for anyone interested in database security, encryption, algorithms, etc.  We have a vendor-supplied application which connects to a production database as the owner of its own schema.  That is, the application has full access and privileges to select/insert/update/delete any application data.  Privileges for application users are controlled within the application itself.  This, by the way, is a very common practice for database applications.

One problem with this particular application, however, is that for some reason it stores a copy of the login credentials for the database for each application user.  These are the same credentials the application itself uses to connect to the production database, so the username and password fields for each application user should be the same.  Obviously it would be better to store a single copy of those credentials and reference them for each user.

That isn’t the big problem, however!  The big problem is that anyone with access to that table can retrieve the encrypted passwords and decrypt them if they can figure out the algorithm.  Once decrypted, they can then connect as the application (schema owner) and wreak all sorts of havoc.  I am posting this as a caution — even “read-only” access can be dangerous if users can use that information to get a higher level of access.  Keep in mind that most attacks come from inside a company!

So, the challenge here is to find the algorithm to decrypt the passwords.  Here is a list of some of the encrypted values:


To help you along, I will give you up to twenty-five encrypted values for strings that you provide.  That should be more than double the number you need.  The strings you choose are a vital part of the solution, so choose wisely!  You may leave them in a comment.  Comments are moderated, so nobody else will get a hint by seeing the strings you’ve chosen and I will send the encrypted values to you via e-mail, so please use a real e-mail address if you want to participate.

Your task is to describe an algorithm to decrypt the passwords, write code (in any language you wish) to decrypt them, and successfully decrypt the passwords above plus three more I will provide after you successfully decrypt those.

I was able to crack this pretty easily and will post my code (written in PL/SQL) once some others have had a chance to play.  Good luck!


  1. Curious Minds Want to Know !! Please send me 25 encrypted values :-) Let the Games Begin … :-)

  2. Hey DJ! I hope you are doing well.

    I’ve sent you an e-mail message asking for the values you would like encrypted. To let everyone know, this is part of the challenge! Choose, and choose wisely, up to 25 values that you think will help you figure out the pattern and test your algorithm. If you leave a comment asking me to encrypt some values for you, I will respond via e-mail to get the values and return the encrypted counterparts to you. Comments are moderated, so if you prefer to provide your values in a comment I will still respond via e-mail but won’t approve your comment since it would give others a hint.


Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>