RE: How are you authenticating you applications?

If the DB locks after 10 attempts, then would you not have a chance to block these brute force attack? After all it would lock in less than a second, and so nobody would go anywhere until the source is found.

Joel Patterson
Database Administrator
904 727-2546
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Greg Rahn Sent: Wednesday, March 09, 2011 6:03 PM
To: cicciuxdba_at_gmail.com
Cc: oracle-l-freelists
Subject: Re: How are you authenticating you applications?

On Wed, Mar 9, 2011 at 11:11 AM, Guillermo Alan Bort <cicciuxdba_at_gmail.com> wrote:
>    We are working on providing the hashed password, so all the non-dbas get
> is a hash... but I don't know how strong the eencryption really is... and
> I'd like to let my i7 have a go at cracking one and see how long it takes...
> still, a non-human-intervention approach would be appreciated :-)

I'm not sure what you mean by this but I would strongly suggest this as a starting point:
http://codahale.com/how-to-safely-store-a-password/

BTW, an i7 is nothing... just spend a week or so to learn Nvidia CUDA, rent a few dozen Amazon Web Services Cluster GPU instances and you will be frightened to learn how many hundreds of billions of password candidates (yes billions!) you can try in a few seconds. All at the hands of anyone with an AWS account. Makes you think at least twice about password security.

-- 
Regards,
Greg Rahn
http://structureddata.org
--
http://www.freelists.org/webpage/oracle-l


--
http://www.freelists.org/webpage/oracle-l