Re: Pete Finnigan's Oracle database password checker
Date: Mon, 13 Oct 2008 10:28:30 +0100
Message-ID: <48F314BE.4070002@petefinnigan.com>
Hi Bradd,
The cool thing about a PL/SQL/SQL*Plus script is that you can control what it does simply by running it as a user with privileges you control, i.e. it needs create session, and access to SYS.USER$, access to DBMS_OBFUSCATION_TOOLKIT is there by default. The user doesnt need any alteration privs, either DDL or DML based.
Also the other cool thing is that the source code is there and you can read it and see what it does first.
cheers
Pete
Bradd Piontek wrote:
> Maybe it is just me, but I would never run something 'new' against a
> production database without first seeing what it does (either by reviewing
> the code or by testing it against a non-prod environment). Even from a
> trusted source like Mr. Finnagan
>
> Bradd Piontek
> "Next to doing a good job yourself,
> the greatest joy is in having someone
> else do a first-class job under your
> direction."
> -- William Feather
>
>
> On Tue, Oct 7, 2008 at 7:41 AM, Andre van Winssen <dreveewee_at_gmail.com>wrote:
>
>> Hi, >> >> It's worth running against your (SOx) production databases to find out >> about weak database passwords that might put in danger Confidentiality, >> Integrity and/or Availability. >> >>
>
-- Pete Finnigan Principal Consultant PeteFinnigan.com Limited Registered in England and Wales Company No: 4664901 Specialists in database security. If you need help to audit or secure an Oracle database, please ask for details of our courses and consulting services Phone: 0044 (0)1904 791188 Fax : 0044 (0)1904 791188 Mob : 0044 (0)7742 114223 email: pete_at_petefinnigan.com site : http://www.petefinnigan.com Please note that this email communication is intended only for the addressee and may contain confidential or privileged information. The contents of this email may be circulated internally within your organisation only and may not be communicated to third parties without the prior written permission of PeteFinnigan.com Limited. This email is not intended nor should it be taken to create any legal relations, contractual or otherwise. -- http://www.freelists.org/webpage/oracle-lReceived on Mon Oct 13 2008 - 04:28:30 CDT