Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Secure oracle password length
"Howard J. Rogers" <dba_at_hjrdba.com> wrote in message news:<1013806422.737112_at_bugstomper.ihug.com.au>...
> create profile secureone limit
> failed_login_attempts 3
> password_lock_time 1//24;
>
> alter user X profile secureone;
>
> In other words, there is already a mechanism in place to prevent bulk hack
> attacks. After three failures, the account is locked for (in this case) an
> hour. That should slow things down sufficiently to mean that your 57 hours
> now becomes rather more like 5000.
Unfortunately, but this type of attack can be done without Oracle server itself. You only need user name and hashed password for that. For example, if you can get content of sys.user$ table then you can use any computer (you need only the program that calculates password hashes like Oracle server does). Of course, you can't prevent this type of attack by "create profile ..." statement.
Maxim. Received on Sun Feb 17 2002 - 10:48:29 CST