Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Secure oracle password length

Re: Secure oracle password length

From: Maxim Anisiutkin <manisiutkin_at_grtcorp.com>
Date: 17 Feb 2002 08:48:29 -0800
Message-ID: <71ce14f2.0202170848.7aa21667@posting.google.com> 





"Howard J. Rogers" <dba_at_hjrdba.com> wrote in message news:<1013806422.737112_at_bugstomper.ihug.com.au>...


> create profile secureone limit

> failed_login_attempts 3

> password_lock_time 1//24;

> 

> alter user X profile secureone;

> 

> In other words, there is already a mechanism in place to prevent bulk hack

> attacks.  After three failures, the account is locked for (in this case) an

> hour.  That should slow things down sufficiently to mean that your 57 hours

> now becomes rather more like 5000.




Unfortunately, but this type of attack can be done without Oracle
server itself. You only need user name and hashed password for that.
For example, if you can get content of sys.user$ table then you can
use any computer (you need only the program that calculates password
hashes like Oracle server does). Of course, you can't prevent this
type of attack by "create profile ..." statement.



Maxim.
Received on Sun Feb 17 2002 - 10:48:29 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US