RE: How are you authenticating you applications?

From: <Joel.Patterson_at_crowley.com>
Date: Thu, 10 Mar 2011 09:15:40 -0500
Message-ID: <C95D75DD2E01DD4D81124D104D317ACA16151D779A_at_JAXMSG01.crowley.com>

Yes, we digressed.

Or having there own accounts yet use ad hoc tools such as excel, access, and/or Cartesian products. :)

Joel Patterson
Database Administrator
904 727-2546

From: alanbort_at_gmail.com [mailto:alanbort_at_gmail.com] On Behalf Of Guillermo Alan Bort Sent: Thursday, March 10, 2011 8:08 AM
To: Patterson, Joel
Cc: greg_at_structureddata.org; oracle-l_at_freelists.org Subject: Re: How are you authenticating you applications?

I can see a nice DoS where someone attacks the database and locks the app account essentially rendering the application useless.

However, I was not worried about attack, not yet at least, I was more worried about people "legitimately" having the password and using it even though they are not supposed to.

thanks
Alan.-

On Thu, Mar 10, 2011 at 9:35 AM, <Joel.Patterson_at_crowley.com<mailto:Joel.Patterson_at_crowley.com>> wrote:

If the DB locks after 10 attempts, then would you not have a chance to block these brute force attack? After all it would lock in less than a second, and so nobody would go anywhere until the source is found.

Joel Patterson
Database Administrator
904 727-2546
-----Original Message-----
From: oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org> [mailto:oracle-l-bounce_at_freelists.org<mailto:oracle-l-bounce_at_freelists.org>] On Behalf Of Greg Rahn Sent: Wednesday, March 09, 2011 6:03 PM
To: cicciuxdba_at_gmail.com<mailto:cicciuxdba_at_gmail.com> Cc: oracle-l-freelists
Subject: Re: How are you authenticating you applications?

On Wed, Mar 9, 2011 at 11:11 AM, Guillermo Alan Bort <cicciuxdba_at_gmail.com<mailto:cicciuxdba_at_gmail.com>> wrote:
> We are working on providing the hashed password, so all the non-dbas get
> is a hash... but I don't know how strong the eencryption really is... and
> I'd like to let my i7 have a go at cracking one and see how long it takes...
> still, a non-human-intervention approach would be appreciated :-)

I'm not sure what you mean by this but I would strongly suggest this as a starting point:
http://codahale.com/how-to-safely-store-a-password/

BTW, an i7 is nothing... just spend a week or so to learn Nvidia CUDA, rent a few dozen Amazon Web Services Cluster GPU instances and you will be frightened to learn how many hundreds of billions of password candidates (yes billions!) you can try in a few seconds. All at the hands of anyone with an AWS account. Makes you think at least twice about password security.

--
Regards,
Greg Rahn
http://structureddata.org
--
http://www.freelists.org/webpage/oracle-l



--
http://www.freelists.org/webpage/oracle-l

Received on Thu Mar 10 2011 - 08:15:40 CST

This message: [ Message body ]
Next message: Subodh Deshpande: "Re: How are you authenticating you applications?"
Previous message: Guillermo Alan Bort: "Re: How are you authenticating you applications?"
In reply to: Guillermo Alan Bort: "Re: How are you authenticating you applications?"
Next in thread: Subodh Deshpande: "Re: How are you authenticating you applications?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message