RE: passwords (a bit of a rant)

From: Brady, Mark <mbrady_at_allegisgroup.com>
Date: Thu, 15 Aug 2013 11:46:47 -0400
Message-ID: <AA44A710C938C04EBFCB1BFC312993DE5E8066541A_at_EXCH-MBX23.allegisgroup.com>

> Got a fix for it now but it nearly drove me nuts.

Can you share that? Was it a technical fix or an HR fix?

;-)

-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Nuno Souto Sent: Wednesday, August 14, 2013 6:33 AM To: oracle-l_at_freelists.org
Subject: Re: passwords (a bit of a rant)

See below

--
Cheers
Nuno Souto
dbvision_at_iinet.net.au


On 14/08/2013 6:09 AM, Guillermo Alan Bort wrote:

> completely unrelated words that  the crappy 7331 passwords that IT Sec


 > seems


I love to run some of the L337-speak passwords that IT spec demands
through a password cracker.
9 times out of 10, they are the easiest to crack...


> a security feature. I often  find TOAD or SQL Developer from windows


 > machines on the OOB vlan connected to the database with the schema

 > owner of an application. This is bad, because not everybody bothers

 > checking their queries before executing them and this can lead to

 > horrible, horrible things running in the database (like a Cartesian

 > join of two multi-million-row tables). This happens when an app uses


Or worse yet: when they leave a query window open tying up half my
parallel query service processes in an inactive cursor, thereby ensuring
my overnight ETL will overrun...
Got a fix for it now but it nearly drove me nuts.

> Furthermore, changing  application passwords is usually very hard


 > (and more often than not it involves downtime of some sort), so if a


Try doing it on the Peoplesoft HR app server or for PSMAN and I'll
guarantee a re-install...

> I seem to remember Oracle  supports other types of authentication


 > (other than passwords) but they don't seem to cut it.


And yet, it's the simplest thing in OS-land.  None of our ssh
connections require a password anymore:
auth tokens are more than enough.
I think external login authentication was an attempt to make it happen,
but I don't know of anyone using it successfully.

> What are your opinions on  oracle authentication and where it lacks?

Most of the apps we run ignore it.  They use either a generic login and
their own login/pswd pairs, a-la Peoplesoft and Apex+LDAP.   Or a db
login that does nothing and has nothing and a login trigger that sets
things up properly.

> How do you handle password  management, and application, developer and


 > end user access to databases?


Where possible, I use "alter session set current_schema=schema_owner;"
from user SYS.
If not adequate, then I snapshot the encrypted pwd into a text file,
replace it with something I can type in less than 1 hour, login, do the
work, then go back to SYS and replace the new pwd with the old encrypted
one using good old "identified by values".

>


 > I haven't looked through all the 12c new features, is there anything

 > new on this area?


Unfortunately, what I hoped for didn't happen.
In a nutshell: http://dbasrus.blogspot.com.au/2011/11/wish-list-for-12c.html
Ah well: another missed opportunity for Oracle to do something actually
useful to dbas.
Instead of blaming them for everything including global warming...


--
http://www.freelists.org/webpage/oracle-l




This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply e-mail so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Aug 15 2013 - 17:46:47 CEST