Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Default Users and Security
Thanks Connor, i didn't know there was a list in the 9i documentation, i
will have a look and add to my list. I read that only SYS and SYSTEM are
not locked on 9i, but i haven't got access to 9i to confirm at the
moment.
cheers
Pete
In article <3BE6A0C1.3BDF_at_yahoo.com>, Connor McDonald
<connor_mcdonald_at_yahoo.com> writes
>Pete Finnigan wrote:
>>
>> Hi all
>>
>> If anyone is interested i have put together a list of the all default
>> Oracle users i can find and their default passwords and hashes 109 so
>> far and i still have some areas to look at.
>>
>> I have found in my recent work on Oracle security audits that a major
>> area of concern is the amount of databases where there still exists at
>> least one default account where the password is still a default one.
>>
>> So i have created a table at http://www.pentest-limited.com/default-
>> user.htm ( or you can go to the site and its in the technical and white
>> papers section ) that has the users and passwords and hashes and a
>> simple SQL script generated from this list that can be run as a DBA to
>> check if any defaults are still set easily.
>>
>> regards,
>> Pete
>> --
>> Pete Finnigan
>> IT Security Consultant
>> PenTest Limited
>>
>> Office 01565 830 990
>> Fax 01565 830 889
>> Mobile 07974 087 885
>>
>> pete.finnigan_at_pentest-limited.com
>>
>> www.pentest-limited.com
>
>Worthy of note could be the 9i doco - which contains a similar list
>somewhere in the doco (it also does the nice thing of locking accounts
>and expiring password - a claim I have not confirmed)
>
>hth
>connor
-- Pete Finnigan IT Security Consultant PenTest Limited Office 01565 830 990 Fax 01565 830 889 Mobile 07974 087 885 pete.finnigan_at_pentest-limited.com www.pentest-limited.comReceived on Mon Nov 05 2001 - 09:22:17 CST