Re: Oracle password encryption algorithm?SKIP

From: Carl Brewer <carl_at_oversteer.library.uwa.edu.au>
Date: 6 Jul 1993 09:30:41 GMT
Message-ID: <21bgo1$cic_at_uniwa.uwa.edu.au>

In article <21aqcs$c04_at_Tut.MsState.Edu> tbhudson_at_whale.st.usm.edu (Trammell B. Hudson) writes:
>In article <21apmc$121_at_gaia.ucs.orst.edu>, mickel_at_OES.ORST.EDU (Paul Mickel) writes:
>|> In article <1993Jul1.134033.1_at_cbr.hhcs.gov.au> pihlab_at_cbr.hhcs.gov.au writes:
>|> >In article <1993Jun30.154324.1_at_cissys>, trahan_at_cissys.read.tasc.com (Dave Trahan) writes:
>|> >>
>|> >> Does anyone know what algorithm Oracle uses to encrypt user passwords?
>|> >
>|> >Hopefully, only Oracle and it's well guarded. If everyone knew the algorithm
>|> >then there would be no point in having a password because the encrypted value
>|> >is stored (visible) in the database and you could run a program to crack
>|> >anyone's account.

this is possible. If your passwd choice is poor, and/or the crypt routine is weak. Any decent passwd crypt will be a one-way algorythm, the only way to break it is by brute force.

>
> Wait! Why do encryption algorythms have to be guarded? Didn't UNIX
>leave the /etc/passwd file with encrypted passwds in plain view for years?
>If the algorythm is sufficiently nonreversible, then the algorythm AND the
>encrypted passwds can be in plain view with out any problems.

Not quite true. Most security concious sites have implimented shaddow passwording, but it's true, if you use the UNIX crypt() algorythm, and your passwd is a "good" passwd, then to crack by brute force takes several hundred years using a network of 20 Sun SPARC 2's.

>
> Having the passwd in the argv for a program is another matter. That
>is serious is plaintext passwds are stored for any longer than necessary.

passwds should *NEVER* be plaintext stored anywhere(on a multi-user OS anyway, dos stuff doesn't matter, its security is a joke anyway). Any programme that takes passwords seriously should not use an argv for password entry. C has a system call to do it for you ( getpass() ) and it's fairly trivial to write one yourself. Of course, if the passwding in Oracle was designed as a gimick, rather than serious security .....

--
Carl Brewer				Ph :61-9-380-1893 | #include \
Systems/Network Officer, Reid Library   Fax:61-9-380-1012 | <std_disclaimer.h>
University of Western Australia		carl_at_oversteer.library.uwa.edu.au
Merlin, where are you?  Call your Dragon, to weave a mist ....

Received on Tue Jul 06 1993 - 11:30:41 CEST

This message: [ Message body ]
Next message: David S. Masterson: "Re: Including apostrophe in string?"
Previous message: Chris Jack: "Re: database size vs. performance questions"
Maybe in reply to: Lee Parsons: "Re: Oracle password encryption algorithm?SKIP"
In reply to Trammell B. Hudson: "Re: Oracle password encryption algorithm?SKIP"
Next in thread: David S. Masterson: "Re: Including apostrophe in string?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message