Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Secure oracle password length

Re: Secure oracle password length

From: Howard J. Rogers <dba_at_hjrdba.com>
Date: Sat, 16 Feb 2002 07:52:59 +1100
Message-ID: <1013806422.737112@bugstomper.ihug.com.au> 





create profile secureone limit


failed_login_attempts 3


password_lock_time 1//24;



alter user X profile secureone;



In other words, there is already a mechanism in place to prevent bulk hack
attacks.  After three failures, the account is locked for (in this case) an
hour.  That should slow things down sufficiently to mean that your 57 hours
now becomes rather more like 5000.



Regards


HJR


--
----------------------------------------------
Resources for Oracle: http://www.hjrdba.com
===============================


"Maxim Anisiutkin" <manisiutkin_at_grtcorp.com> wrote in message
news:71ce14f2.0202151031.7db08394_at_posting.google.com...


> Hi,

>

> I just want to say that any password shorter than 7 symbols might be

> insecure when its password hash (password column of sys.user$ table)

> is known. In this case password can be recovered simply by

> 'brute-force' attack (20000 - 30000 passwords per second on any modern

> PC). For instance, 6 symbol password will be recovered approximately

> in 40^6 / 2*10^4 / 3600 = 57 hours.

> In my opinion this is the lack of current password hashing algorithm

> now (because Oracle didn&#8217;t modify that too long). Probably, it

> shouldn&#8217;t evaluate more than 1000 password hashes per second on

> any processor and platform.

>

> Thank you,

> Maxim.



Received on Fri Feb 15 2002 - 14:52:59 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US