| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Secure oracle password length
"Howard J. Rogers" <dba_at_hjrdba.com> wrote in message news:<a5cask$j6e$1_at_lust.ihug.co.nz>...
> Oracle passwords are *not* encrypted. They are hashed, which is quite a
> different thing altogether.
... and that's bad. The password security should not rely completely on external protection like profiles. In the real world we should imply that encrypted password is available to a hacker so the encription must be strong enough.
> And yet again, you seem to imply a weakness where none need exist: it
> wouldn't matter if you threw a Pentium VI 92789468GHz processor at the job
> of cracking a password, if after three attempts the account is locked, would
> it?
Profiles are not an excuse for the lack of a proper encryption. If you have a hashed password, just create user .. identified by values in a private database and take your time. Pentium VI 92789468GHz would come handy :)
BTW account locking is not that great. I'd make those three attempts and would lock all your db accounts. Simple DoS attack.
Cheers,
Igor
> HJR
> --
> ----------------------------------------------
> Resources for Oracle: http://www.hjrdba.com
> ===============================
>
>
> "Maxim Anisiutkin" <manisiutkin_at_grtcorp.com> wrote in message
> news:71ce14f2.0202241653.74d3a4e0_at_posting.google.com...
> > > I'm sorry, I give up. I haven't a clue what you're talking about. I've
> > > *told* you how to make it not 20000 connections a second. For the
> rest...
> > > well, yes... if you leave odd export files scattered around your hard
> disks,
> > > you probably leave your front door keys next to your wallet on the bar
> of
> > > your local pub too. It's not really the key's fault when you next then
> get
> > > broken into, is it?
> >
> > Well... That's the good sample... Definitely, it's not the key's
> > fault. But several years ago (good old times) you could afford such
> > kind of careless for yourself without any impact on security. Now you
> > cannot... What would you say if Oracle decided not to use password
> > hashing at all and stored passwords as cleartext? Not very pleasant,
> > really... And now, if you have password shorter than 7 chars it's
> > almost the same as store it as cleartext.
> >
> > When I started with Oracle it was version 6 and at that time I read
> > that they used "Modified DES" algorithm for password hashing. So, I
> > felt quite reassured about ability of my Intel 80486 25MHz to perform
> > that "Modified DES". Many years have passed... And now we have P4 2GHz
> > against the same "Modified DES" for Oracle9i, because Oracle didn't
> > change anything in that algorithm!
> >
> > Actually, I can say that this is not the key's problem (long passwords
> > are not convenient to use and often decrease the level of security).
> > But this is some lock's problem what is too old-fashioned for
> > novadays...
> >
> > Maxim.
> >
> > P.S. I might have been wrong...
Received on Mon Feb 25 2002 - 03:13:35 CST
 |
 |