Re: How are you authenticating you applications?

From: Guillermo Alan Bort <cicciuxdba_at_gmail.com>
Date: Thu, 10 Mar 2011 10:07:55 -0300
Message-ID: <AANLkTik-PYXgyfretHiMWEmW3a_WOs1q2uBU5yLghkC0_at_mail.gmail.com>



I can see a nice DoS where someone attacks the database and locks the app account essentially rendering the application useless.

However, I was not worried about attack, not yet at least, I was more worried about people "legitimately" having the password and using it even though they are not supposed to.

thanks
Alan.-

On Thu, Mar 10, 2011 at 9:35 AM, <Joel.Patterson_at_crowley.com> wrote:

>
> If the DB locks after 10 attempts, then would you not have a chance to
> block these brute force attack? After all it would lock in less than a
> second, and so nobody would go anywhere until the source is found.
>
> Joel Patterson
> Database Administrator
> 904 727-2546
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org]
> On Behalf Of Greg Rahn
> Sent: Wednesday, March 09, 2011 6:03 PM
> To: cicciuxdba_at_gmail.com
> Cc: oracle-l-freelists
> Subject: Re: How are you authenticating you applications?
>
> On Wed, Mar 9, 2011 at 11:11 AM, Guillermo Alan Bort
> <cicciuxdba_at_gmail.com> wrote:
> > We are working on providing the hashed password, so all the non-dbas
> get
> > is a hash... but I don't know how strong the eencryption really is... and
> > I'd like to let my i7 have a go at cracking one and see how long it
> takes...
> > still, a non-human-intervention approach would be appreciated :-)
>
> I'm not sure what you mean by this but I would strongly suggest this
> as a starting point:
> http://codahale.com/how-to-safely-store-a-password/
>
> BTW, an i7 is nothing... just spend a week or so to learn Nvidia CUDA,
> rent a few dozen Amazon Web Services Cluster GPU instances and you
> will be frightened to learn how many hundreds of billions of password
> candidates (yes billions!) you can try in a few seconds.
> All at the hands of anyone with an AWS account. Makes you think at
> least twice about password security.
>
> --
> Regards,
> Greg Rahn
> http://structureddata.org
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

--
http://www.freelists.org/webpage/oracle-l
Received on Thu Mar 10 2011 - 07:07:55 CST

Original text of this message