Re: Oracle Passwords

From: Mark D Powell <>
Date: Tue, 3 Apr 2012 07:15:20 -0700 (PDT)
Message-ID: <484146.149.1333462520609.JavaMail.geo-discussion-forums_at_ynjc20>

On Wednesday, March 28, 2012 11:42:17 AM UTC-4, dombrooks wrote:
> Oracle passwords are not encrypted but a one-way hash i.e. you can't un-encrypt/decrypt them.

Dombrooks, an Oracle employee gave a talk on how Oracle hashed the passwords a few years back and using that talk a couple of academics developed a method to reverse engineer the hashed password and published a paper on the subject. Hence with 11g Oracle has come out with a new, much stronger password hash methodology. But you can break the majority of 10g and below Oracle passwords in an average of only 21 days of computing power. You greatly inclrease the difficulty of reversing the hash if you make the password greater than 8 bytes in length.

Making use of the relatively new password related profile parameters to limit the number of failed logon attempts before locking an account and the delay between allowing another login attempt after a failed logon attempt offer a fair amount of protection from brute force attacks.

HTH -- Mark D Powell --   Received on Tue Apr 03 2012 - 09:15:20 CDT

Original text of this message