Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Security and changing passwords over network.

Re: Security and changing passwords over network.

From: Billy Verreynne <vslabs_at_onwe.co.za>
Date: Fri, 31 Jan 2003 09:46:31 +0000
Message-ID: <b1d9la$idc$1@ctb-nnrp2.saix.net>


OtherOne wrote:

> I'm developing a Windows app using ADO and Oracle8i and would like to be
> able for the user to change the password. I'm assuming that using "ALTER
> USER..." would send the password as cleat text over the network unless all
> network communication is encrypted. Does anyone know of a method of
> changing the password securely over the network without encrypting all
> network communications?

SSL. But I'm not sure why you are so concerned. Telnet uses clear text. Microsoft Networking uses a very weak encryption method that can be brute force hacked. What about HTTP and other protocols? There are _tons_ of issues when it comes to the contents of IP traffic on your network.

Just trying to plug a single very small hole wrt to Oracle... well, I do not think that is the correct way to approach security.

It is also a mistake in putting the security in your application. That can be circumvented (user can use another SQL client to change their password that does not implement your application security methods).

If you are really concerned at someone running a sniffer to pick up an ALTER USER statement... well then you should be concerned about every single IP packet transmitted on your network. Concerned about access to your network. Concerned about how hackers can run promiscious mode software on your network. Concerned about the security of your routers and switches.

Security IMO does not start by trying to make an ALTER USER SQL statement secure from with inside a client application.

--
Billy
Received on Fri Jan 31 2003 - 03:46:31 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US