| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: Security and changing passwords over network.
I actually agree with you, but I'm not the DBA or the Information Resources
department who has these anal-retentive rules. I would be willing to bet the
DBAs use unsecured methods to set-up users and reset lost passwords and then
insist that we application developers do otherwise.
I was asking just to be sure I wasn't overlooking some obvious and simple way to placate the IR goons.
I may create a stored procedure to do job just so the "ALTER USER" is not exposed over the network. Probably more than they have done.
Thanks
Gerald
"DA Morgan" <damorgan_at_exesolutions.com> wrote in message
news:3E3AA4BE.899509FF_at_exesolutions.com...
> Billy Verreynne wrote:
>
> > OtherOne wrote:
> >
> > > I'm developing a Windows app using ADO and Oracle8i and would like to
be
> > > able for the user to change the password. I'm assuming that using
"ALTER
> > > USER..." would send the password as cleat text over the network unless
all
> > > network communication is encrypted. Does anyone know of a method of
> > > changing the password securely over the network without encrypting all
> > > network communications?
> >
> > SSL.
> >
> > But I'm not sure why you are so concerned. Telnet uses clear text.
Microsoft
> > Networking uses a very weak encryption method that can be brute force
> > hacked. What about HTTP and other protocols? There are _tons_ of issues
> > when it comes to the contents of IP traffic on your network.
> >
> > Just trying to plug a single very small hole wrt to Oracle... well, I do
not
> > think that is the correct way to approach security.
> >
> > It is also a mistake in putting the security in your application. That
can
> > be circumvented (user can use another SQL client to change their
password
> > that does not implement your application security methods).
> >
> > If you are really concerned at someone running a sniffer to pick up an
ALTER
> > USER statement... well then you should be concerned about every single
IP
> > packet transmitted on your network. Concerned about access to your
network.
> > Concerned about how hackers can run promiscious mode software on your
> > network. Concerned about the security of your routers and switches.
> >
> > Security IMO does not start by trying to make an ALTER USER SQL
statement
> > secure from with inside a client application.
> >
> > --
> > Billy
>
> I agree. There is more likihood of someone hacking in based on users
sharing
> passwords or passwords written on Post-It notes. If someone is
sophisticated
> enough to be sniffing network packets ... you aren't going to stop them
unless
> you secure all of the easier things they might try first.
>
> Daniel Morgan
>
Received on Sat Feb 01 2003 - 07:35:11 CST
 |
 |