| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Efficiency of alter user (was: Re: Password crypt function)
Jurij Modic wrote in message <3608efa0.13081711_at_news.siol.net>...
>On Wed, 23 Sep 1998 14:34:21 +0200, "Piotr Kolodziej"
><pkol_at_otago.gda.pl> wrote:
>
>>Jurij Modic wrote in message <36089c20.1197561_at_news.siol.net>...
>>>Why looking for the digest function if you have it built into your
>>>RDBMS?. So use the function that is originaly used! Here is the
>>>scenario:
>>
>>[cut]
>>
>>But according to your scenario, during password probing user cannot
>>connect to the database because of password change.
>>The digest function uses both user name and provided password
>>so you are not able to proceed with dummy user.
>
>Well, if this is a problem than you can perorm this check on another,
>let us say testing database (for example, a small Personal Oracle
>database will do). All you have to do is to transfer all usernames and
>their encripted passwords to a table in this test instance and perform
>all the needed checks there.
[cut]
However it works, it has insufficient efficiency. As I have tested, it may check only up to 100-200 password by a second. So checking against a good dictionary (up to milion or above words) will take hours for one user name. It is not surprising. Alter user causes update of internal dictionary tables, generates redo, which must be flushed to the disk at the end of DDL statement. RDBMS performs much unnecesary work. So question about password crypt function has more sense.
Conclusion is not optimistic. DBA has no good way to check password against a dictionary (especially with some variations) and against brute-force attack. But we may be sure, that attackers are able to get the digest function. So is it better to keep this function unpublished?
Regards,
Piotr
--
Piotr Kolodziej
<pkol_at_otago.gda.pl>
 |
 |