| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Secure oracle password length
Hang on!
Your original post was complaining that Oracle's hashing algorithm was poor because it didn't restrict the number of hack attempts to (you said) 1000 per hour. All I was doing was pointing out that there is already a perfectly adequate mechanism that will slow the rate of hacking attempts down to something unworkable.
Now you change the goal posts, and worry about someone with access to your user$ table! Well, that indicates a significant breach of ordinary security procedures for sure, but it's got nothing to do with any weakness or otherwise in Oracle's hashing algorithm! If someone's able to log on to your database and look at that particular table, it either means you've been ridiculously careless with object privileges, or someone knows your SYS password... at which point, the sky's the limit, since there is no need whatever to hack anything if you can log on as SYS.
In either case, the issue raised in your first post (and still visible as this thread's title) has nothing to do with it. You can make your required password lengths 400 characters long, if you want... and if I can log on as SYS, I can still do precisely whatever I like.
-- ---------------------------------------------- Resources for Oracle: http://www.hjrdba.com =============================== "Maxim Anisiutkin" <manisiutkin_at_grtcorp.com> wrote in message news:71ce14f2.0202170848.7aa21667_at_posting.google.com...Received on Sat Feb 23 2002 - 17:43:05 CST
> "Howard J. Rogers" <dba_at_hjrdba.com> wrote in message
news:<1013806422.737112_at_bugstomper.ihug.com.au>...
> > create profile secureone limit
> > failed_login_attempts 3
> > password_lock_time 1//24;
> >
> > alter user X profile secureone;
> >
> > In other words, there is already a mechanism in place to prevent bulk
hack
> > attacks. After three failures, the account is locked for (in this case)
an
> > hour. That should slow things down sufficiently to mean that your 57
hours
> > now becomes rather more like 5000.
>
> Unfortunately, but this type of attack can be done without Oracle
> server itself. You only need user name and hashed password for that.
> For example, if you can get content of sys.user$ table then you can
> use any computer (you need only the program that calculates password
> hashes like Oracle server does). Of course, you can't prevent this
> type of attack by "create profile ..." statement.
>
> Maxim.
 |
 |