Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle network authentication encryption?

Re: Oracle network authentication encryption?

From: DA Morgan <damorgan_at_psoug.org>
Date: Mon, 14 Nov 2005 11:33:26 -0800
Message-ID: <1131996890.439578@yasure>


Maxim Demenko wrote:
> Mark D Powell schrieb:
>

>> Jeroen, it isn't the logon encryption that has been questioned recently
>> so much as the password hash that Oracle generates and stores in the
>> DB.  It does not do you a lot of good to encrypt the logon id and
>> password passed over the network if the password hash stored in the
>> database can be easily broken.
>>
>> There was an article published that criticized the password hash used
>> by Oracle as being week and demostrating how easy it is to generate a
>> list of all possible passwords for a set size password.  Because Oracle
>> converts lower case to upper Oracle loses about half of the available
>> hash values.  The average was around 20 days to crach a password.
>> Requiring all passwords to be long greatly increases this average time
>> necessary to break the hash.  Requiring all passwords to be changed in
>> less than the average time to crack would also be wise.  Use of single
>> sign-on or LDAP based sign-on security would completely bypass this
>> issue.
>>
>> You can probably find a link or two to the issue on Pete Finnigan's
>> site
>> http://www.petefinnigan.com
>> Pete sort of specializes in security related issues
>>
>> HTH -- Mark D Powell --
>>

>
> It might be interesting to add, that in Roger's comment on Bruce
> Schneier Blog on this subject (
> http://www.schneier.com/blog/archives/2005/11/oracles_passwor.html ) -
> and Pete Finnegan picked this as well - is clearly stated , the
> uppercase used by Oracle to generate hashes does not necessarily means
> weakness of algorithms being used.
>
> <quote>
> For example, the authors note that they were able to enumerate all 8
> character alphanumeric passwords in 39 days. Okay, a bit faster than I
> expected buuuut... we have long considered 8 character alphanumeric
> passwords to be the absolute lowest common denominator for password
> security. Adding in punctuation as well would already increase this to
> 21 years! Or keeping to alphanumeric but requiring a ten character
> password, would push it out to 140 years. Or do both, and even with a
> 1000 host zombie network it will take more than a century.
> </quote>
>
> The main problem seems to be not the Oracle hashing algorithm itself,
> but the fact, that many sites doesn't implement the simpliest things to
> make the passwords secure and don't prevent unauthorized access to
> hashed passwords stored in the database.
>
> Best regards
>
> Maxim

I agree. How is any more Oracle's fault that people don't implement the security resources provided than it is Ford's fault that people don't buckle their seatbelts?

How many databases do you know that have RESOURCE_LIMIT = TRUE and PROFILES implemented? How many have implemented TCP.VALIDNODE_CHECKING? Neither of these take more than five minutes to implement. And yet I can think of only a handful of DBAs that do so routinely.

-- 
Daniel A. Morgan
http://www.psoug.org
damorgan_at_x.washington.edu
(replace x with u to respond)
Received on Mon Nov 14 2005 - 13:33:26 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US