Re: Pete Finnigan's Oracle database password checker

From: Pete Finnigan <>
Date: Mon, 13 Oct 2008 10:28:30 +0100
Message-ID: <>

Hi Bradd,

The cool thing about a PL/SQL/SQL*Plus script is that you can control what it does simply by running it as a user with privileges you control, i.e. it needs create session, and access to SYS.USER$, access to DBMS_OBFUSCATION_TOOLKIT is there by default. The user doesnt need any alteration privs, either DDL or DML based.

Also the other cool thing is that the source code is there and you can read it and see what it does first.



Bradd Piontek wrote:
> Maybe it is just me, but I would never run something 'new' against a
> production database without first seeing what it does (either by reviewing
> the code or by testing it against a non-prod environment). Even from a
> trusted source like Mr. Finnagan
> Bradd Piontek
> "Next to doing a good job yourself,
> the greatest joy is in having someone
> else do a first-class job under your
> direction."
> -- William Feather
> On Tue, Oct 7, 2008 at 7:41 AM, Andre van Winssen <>wrote:

>> Hi,
>> It's worth running against your (SOx) production databases to find out
>> about weak database passwords that might put in danger Confidentiality,
>> Integrity and/or Availability.


Pete Finnigan
Principal Consultant Limited

Registered in England and Wales
Company No: 4664901

Specialists in database security.

If you need help to audit or secure an Oracle database, please ask for
details of our courses and consulting services

Phone: 0044 (0)1904 791188
Fax  : 0044 (0)1904 791188
Mob  : 0044 (0)7742 114223
site :

Please note that this email communication is intended only for the
addressee and may contain confidential or privileged information. The
contents of this email may be circulated internally within your
organisation only and may not be communicated to third parties without
the prior written permission of Limited.  This email is
not intended nor should it be taken to create any legal relations,
contractual or otherwise.

Received on Mon Oct 13 2008 - 04:28:30 CDT

Original text of this message