Re: Keeping Passwords Secure

Lee E Parsons (lparsons_at_world.std.com) wrote:
: Sam Nelson <sam_at_cs.stir.ac.uk> wrote:
: >I had some useful suggestions by email from David Rolfe (of Sun, apparently?)
: >involving adding some whitespace to the front of `username/password' strings
: >until they disappear off the end of the command line quoted by `ps'. This
: >strategy looks promising. It still doesn't get me past the `looking over the
: >shoulder' problem though, and I find it difficult to believe that this hasn't
: >been a significant problem elsewhere, let alone remained completely unaddressed
: >by Oracle all these years.
 

: To be fair to Oracle they have thought about it. They have just
: choosen not to do anything. :-}

    I asked a similar question a few months ago but never got an answer.     It appears that the program that is running can alter what appears in     the 'ps -f' display for commands. In fact for 'runform' (aka 'iad')     if a UserId/Password is entered on the command line, it does NOT show     in a 'ps' display (at least for AIX 3.2.5 and SQL*Forms 3.0).

    So Oracle has demonstrated that they can do something.     The outstanding question is why they don't do the same sort of     modification for SQL*Plus and save the Oracle users (us) another     round of these discussions and also provide some elementary     security for UserId/Passwords? ? ?

: You have have only 2 good options as I see them. 1) change the behavior
: of ps or 2) change the behavior of sqlplus.

    Oracle should change the behavior of sqlplus.    

: Regards,
 

: Lee E. Parsons
: Systems Oracle DBA lparsons_at_world.std.com

--

   Warren Van Wyck,  University of Vermont,  wvan_at_moose.uvm.edu
   Analyst/Programmer