Re: Oracle Default Users and Security

Thanks Connor, i didn't know there was a list in the 9i documentation, i will have a look and add to my list. I read that only SYS and SYSTEM are not locked on 9i, but i haven't got access to 9i to confirm at the moment.

cheers
Pete

In article <3BE6A0C1.3BDF_at_yahoo.com>, Connor McDonald <connor_mcdonald_at_yahoo.com> writes
>Pete Finnigan wrote:
>>
>> Hi all
>>
>> If anyone is interested i have put together a list of the all default
>> Oracle users i can find and their default passwords and hashes 109 so
>> far and i still have some areas to look at.
>>
>> I have found in my recent work on Oracle security audits that a major
>> area of concern is the amount of databases where there still exists at
>> least one default account where the password is still a default one.
>>
>> So i have created a table at http://www.pentest-limited.com/default-
>> user.htm ( or you can go to the site and its in the technical and white
>> papers section ) that has the users and passwords and hashes and a
>> simple SQL script generated from this list that can be run as a DBA to
>> check if any defaults are still set easily.
>>
>> regards,
>> Pete
>> --
>> Pete Finnigan
>> IT Security Consultant
>> PenTest Limited
>>
>> Office 01565 830 990
>> Fax 01565 830 889
>> Mobile 07974 087 885
>>
>> pete.finnigan_at_pentest-limited.com
>>
>> www.pentest-limited.com
>
>Worthy of note could be the 9i doco - which contains a similar list
>somewhere in the doco (it also does the nice thing of locking accounts
>and expiring password - a claim I have not confirmed)
>
>hth
>connor

-- 
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan_at_pentest-limited.com

www.pentest-limited.com