Pete Finnigan's Oracle database password checker
Date: Tue, 7 Oct 2008 14:41:19 +0200
Pete Finnigan released v2 of his oracle database password checker written in
plsql. It's worth running against your (SOx) production databases to find
out about weak database passwords that might put in danger Confidentiality,
Integrity and/or Availability.
Of course, if you'd use a database password verification function in your database for all new/altered database users then weak passwords are impossible during CREATE/ALTER USER.
The password checker can be found on Pete's webpage http://www.petefinnigan.com/oracle_password_cracker.htm. It works with oracle8i/9/10g and even 11g if your users have 10g password hashes. All that is required is a connection to the database with a database login that can read the dictionary (eg DBSNMP). Since this is public now, anybody in your network can run it against your databases, so you better find out yourself first and then take action asap if required.
You'd be surpised to see what powerful privileges these accounts with weak passwords might have. By abusing the privileges of these accounts one can easily get control of the database, even when patched with the latest critical patch update.