| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Secure oracle password length
"Howard J. Rogers" <dba_at_hjrdba.com> wrote in message news:<a5cvmu$7ce$1_at_lust.ihug.co.nz>...
> "Igor Laletin" <ilaletin_at_usa.net> wrote in message
> news:f9226414.0202250113.69df43d5_at_posting.google.com...
> > "Howard J. Rogers" <dba_at_hjrdba.com> wrote in message
> news:<a5cask$j6e$1_at_lust.ihug.co.nz>...
> > > Oracle passwords are *not* encrypted. They are hashed, which is quite a
> > > different thing altogether.
> >
> > ... and that's bad. The password security should not rely completely
> > on external protection like profiles.
>
> What do you mean 'external'? Profiles are as much a part of the database as
> passwords (or tables or indexes).
Sorry, bad wording. I mean passwords should have protection of its own. Doesn't matter how many and what other security features you have in oracle. If you use account locking - good on you. If you don't, stranger still shouldn't be able to crack a password.
...
> > > And yet again, you seem to imply a weakness where none need exist: it
> > > wouldn't matter if you threw a Pentium VI 92789468GHz processor at the
> job
> > > of cracking a password, if after three attempts the account is locked,
> would
> > > it?
> >
> > Profiles are not an excuse for the lack of a proper encryption.
>
> So you say. I can't see the difference myself. The point is to deny a
> stranger the ability to crack your database. Encryption might do that; hash
> function plus profile does the job equally effectively.
Even if hacker knows an encrypted password it's still protected (by encryption). Profiles deny cracking but only in your database - you can create a user with the same hash in another db and crack it there. Profiles also open you to DoS attacks. My point is profiles are_not_ a right way to protect passwords.
> Holding out for a "purer" solution that achieves no added functionality seems to me perverse.
> If you are *that* concerned, spend the extra dollars and purchase Oracle
> label security or Trusted Oracle.
>
> Remember too that Oracle has all the hooks you could ask for to implement
> Kerberos, RADIUS, DES or any other asecure networking technology.
Can you imagine unix vendor saing - sorry, we keep passwords in plain text but there are third-party products to encrypt them? Why not use a strong encryption for db passwords, is it _that_ difficult?
> You simply cannot say that Oracle is, per se, insecure.
I never said that ... no, it's not completely insecure ... but could be more secure out of the box.
> >If you have a hashed password, just create user .. identified by values in a
> > private database and take your time. Pentium VI 92789468GHz would come
> > handy :)
>
> You forgot the bit about locking the account.
No, I don't. Create a user somewhere you're sys, e.g. in your private toy database on your C: drive.
> > BTW account locking is not that great. I'd make those three attempts
> > and would lock all your db accounts. Simple DoS attack.
>
> You'd have to know all my user names first.
Most shops have standards for user names - just follow your local standard :) If an application uses a single account for all connections its name is often well known or somewhere in .ini files. Happens more often than you would expect. Plus other ways to find out usernames mentioned by other posters. Plus all oracle standard names of course.
> And DoS is not quite as bad as
> having all my secret, sensitive data plastered all over the Internet, is it?
Not quite as bad but still very bad. How about mission critical application with hundreds locked out accounts?
> HJR
Igor
Received on Mon Feb 25 2002 - 21:41:03 CST
 |
 |