Pete Finnigan's Oracle database password checker

From: Andre van Winssen <>
Date: Tue, 7 Oct 2008 14:41:19 +0200
Message-ID: <>


Pete Finnigan released v2 of his oracle database password checker written in plsql. It's worth running against your (SOx) production databases to find out about weak database passwords that might put in danger Confidentiality, Integrity and/or Availability.
Of course, if you'd use a database password verification function in your database for all new/altered database users then weak passwords are impossible during CREATE/ALTER USER.

The password checker can be found on Pete's webpage It works with oracle8i/9/10g and even 11g if your users have 10g password hashes. All that is required is a connection to the database with a database login that can read the dictionary (eg DBSNMP). Since this is public now, anybody in your network can run it against your databases, so you better find out yourself first and then take action asap if required.

 You'd be surpised to see what powerful privileges these accounts with weak passwords might have. By abusing the privileges of these accounts one can easily get control of the database, even when patched with the latest critical patch update.

Kind regards,

Received on Tue Oct 07 2008 - 07:41:19 CDT

Original text of this message