Return-Path: X-Original-To: oracle-l@orafaq.com Delivered-To: oracle-l@orafaq.com Received: from turing.freelists.org (turing.freelists.org [206.53.239.180]) by malta2546.startdedicated.com (Postfix) with ESMTPS id 8303410032C358 for ; Sun, 3 Mar 2019 14:41:20 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 3EEF0276F4; Sun, 3 Mar 2019 08:41:19 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freelists.org; s=turing; t=1551620479; bh=xOctkUt3E2XC4pGlQio3WEcvhunAzjIkmrfXmpcpPrc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:Reply-To:List-help: List-unsubscribe:List-Id:List-subscribe:List-owner:List-post: List-archive; b=JtuQUd5GsO5bU86u7Xt5ciSKoLIyL5lr2WMMlSNCeGyqgUlAjK82HcemqXdmqQkUT pXEUgVM88iOb6bIYZMGAzkAytVZ3KzoA1MzOVH1ySUcYYlL+F0dqSJ5YlEAZ2+/OKq TlXnIuflzXn1Q0O/mdYiI4FcVhTXiPBd4okQqah0= X-Virus-Scanned: Debian amavisd-new at turing.freelists.org Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FedcS8ifiWXS; Sun, 3 Mar 2019 08:41:19 -0500 (EST) Received: from turing.freelists.org (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 99D732772D; Sun, 3 Mar 2019 08:41:05 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=freelists.org; s=turing; t=1551620478; bh=xOctkUt3E2XC4pGlQio3WEcvhunAzjIkmrfXmpcpPrc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:Reply-To:List-help: List-unsubscribe:List-Id:List-subscribe:List-owner:List-post: List-archive; b=H7ZzXaGCBICHgp7Kq5ssk4ch67IxIG5CYVdDx8+t2EPl8MsRVW+IashgUv9iI0WdF /CQHpHm32Wchoe7hyLK37LKi/BJtAs0GRUBY8eHkrpY/n/llcJSsXqf7YJDegImcGX 6/8N8jt4/ICvP2f4LqfBYDVjBe7ysfWibYuLriu8= Received: with ECARTIS (v1.0.0; list oracle-l); Sun, 03 Mar 2019 08:39:44 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id A7285216F0 for ; Sun, 3 Mar 2019 08:39:43 -0500 (EST) Authentication-Results: turing.freelists.org; dkim=pass reason="2048-bit key; unprotected key" header.d=oracledepot-com.20150623.gappssmtp.com header.i=@oracledepot-com.20150623.gappssmtp.com header.b=DAYJqrwO; dkim-adsp=none (unprotected policy); dkim-atps=neutral Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPfSGYVcPbAk for ; Sun, 3 Mar 2019 08:39:43 -0500 (EST) Received: from mail-it1-f171.google.com (mail-it1-f171.google.com [209.85.166.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id 4F4CF216C1 for ; Sun, 3 Mar 2019 08:39:43 -0500 (EST) Received: by mail-it1-f171.google.com with SMTP id z124so3753140itc.2 for ; Sun, 03 Mar 2019 05:39:43 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VKk7gNlvlnm3CK8gX+QOvJ7r+ZWLGjfNeOUSjpr+Fmg=; b=CHugHwavDAkq4BGHnwL2YOyk0wQpY6TIbq/OemijBGEr+UIWeJDnmmsVo2E3wXOgTY KOZG8HwanvER1+SNrMHqcWsh/mb6ETyQ+LRmxnHlvBQ2MAvJP6res2OGIy7SeKn69xkd tEAoZVjSJt4DFcdDkpyWteCepd1fZnN+miROZ83JEX4rW33CWm0Wt3+1xUQeVS6drpsV j87wGMSWTqa4xal5V7nd81YHBxjo29NWzPTK6LcVMJjLLdbRRvY05de1kATaiRHD87E/ 0suryJCX/HAMfHV/zPhL/iSOlZI5N/yoq16jrnpdW23HUTZYJi6cLCFcgZhN97wjGj3U nfiQ== X-Gm-Message-State: APjAAAV1UdoQy8URhhvJ4tKrW1hLoiRqTGfDPa5tqZZXwJdY4xUoVnZ2 TBYR5CjBSzPi+5402oNEYaYduu7hZ6sH/hEYO/NXS0Cs X-Google-Smtp-Source: APXvYqxyb8MOIlx74fb2+JAoDAbnxD/Ri3yQLxwwK818uLX/eEPWuxaCT61tDc8baq0B2MTPfe43XCKTDwhH1cWl8hc= X-Received: by 2002:a02:c008:: with SMTP id y8mr912824jai.139.1551620382634; Sun, 03 Mar 2019 05:39:42 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Andy Klock Date: Sun, 3 Mar 2019 08:39:30 -0500 Message-ID: Subject: Re: Fun with ALTER_USER To: Gus Spier Cc: oracle-l Content-Type: multipart/alternative; boundary="000000000000bbb5aa058330c544" X-archive-position: 73438 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: andy@oracledepot.com Precedence: normal Reply-To: andy@oracledepot.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l --000000000000bbb5aa058330c544 Content-Type: text/plain; charset="UTF-8" On Thu, Feb 28, 2019 at 3:26 PM Gus Spier wrote: > > It fell in my lap to produce the tool. It certainly seems that it should > work. But I suspect there are complications with which I am unfamiliar. > > Apart from Dynamic SQL being the devil and me not wanting to rain on your fun, this all looks like a really bad idea. I like that management is trying to address a common attack vector, but this tool is opening ways to hand passwords to would-be attackers. If the connection from the client to the database isn't encrypted then the password is going over the wire in clear text. And since it is being passed into a bind variable then it is sitting in the SGA in clear text. (Meaning, anyone with SELECT ANY DICTIONARY, regardless of who they are what their role is, can possibly see it). The best tool for changing passwords is sqlplus. (But you probably already knew that :) ) It validates that the old password is known and that the new password has been typed in correctly twice. The new password is never sent or stored clear text, so dramatically more secure. Time would be better spent writing a function that validates that the new password conforms to your company policy. https://docs.oracle.com/database/121/DBSEG/authentication.htm#GUID-38B80221-55AE-4928-9AC0-4CAFFD5A4E96 And hopefully your DEVs are using wallets :) Sorry about being a bummer. Andy K --000000000000bbb5aa058330c544 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Thu, Feb 28, 2019 at = 3:26 PM Gus Spier <gus.spier@gmai= l.com> wrote:

It fell in my la= p to produce the tool. It certainly seems that it should work. But I suspec= t there are complications with which I am unfamiliar.

<= /div>

Apart from Dynamic SQL being th= e devil and me not wanting to rain on your fun, this all looks like a reall= y bad idea. I like that management is trying to address a common attack vec= tor, but this tool is opening ways to hand passwords to would-be attackers.= =C2=A0=C2=A0If the connection from the client to the database isn't enc= rypted then the password is going over the wire in clear text. And since it= is being passed into a bind variable then it is sitting in the SGA in clea= r text. (Meaning, anyone with SELECT ANY DICTIONARY, regardless of who they= are what their role is, can possibly see it).

The= best tool for changing passwords is sqlplus. (But you probably already kne= w that :) ) It validates that the old password is known and that the new pa= ssword has been typed in correctly twice. The new password is never sent or= stored clear text, so dramatically more secure. Time would be better spent= writing a function that validates that the new password conforms to your c= ompany policy.


And hop= efully your DEVs are using wallets :)=C2=A0

Sorry = about being a bummer.

Andy K
--000000000000bbb5aa058330c544-- -- http://www.freelists.org/webpage/oracle-l