Re: passwords (a bit of a rant)
Date: Wed, 14 Aug 2013 06:47:39 -0400
Message-ID: <CAFk4TtX0XVWgH-6qyDXVr_wkqoCaAuReNnNVtqwnUmjMG5-1Gg_at_mail.gmail.com>
Agreed with folks, however there are often practical limits to password lengths which may
prevail, for example if you use radius authentication there is a maximum attribute length (impacts username and password) is 253 octets constrained by the protocol itself. Naturally, some radius servers will have lower maximum size.
I'm curious if there are constrains in the sqlnet protocol or somewhere else in oracle as well -- or if there is some transformation which occurs to the password which degrades entropy making passwords longer than some particular length no stronger than a shorter password.
Personally, I'm of the opinion that one time passwords, biometrics, etc are the best bet, even if something simple like google authenticator ones (it isn't hard to implement a radius server which uses that and auths oracle users, i'm just not sure i can release my code).
- craig
On Tue, Aug 13, 2013 at 9:25 PM, Guillermo Alan Bort <cicciuxdba_at_gmail.com>wrote:
> Well, at least it's good to see that I'm not alone here...
> A while ago someone asked what features we would like to see in future
> releases, well... I would like the password length limit to be removed
> (or practically removed as removing it altogether might not yield the best
> performance).
>
> Thanks for the answers.
>
> Alan.-
>
> [SNIP]
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
--
.- ... . -.-. .-. . - -- . ... ... .- --. .
Craig I. Hagan
hagan(at)cih.com
nemo dat quod non habet - you cannot give what you do not have
--
http://www.freelists.org/webpage/oracle-l
Received on Wed Aug 14 2013 - 12:47:39 CEST