| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: same dba password for all instances : is it secure ?
Karsten Farrell wrote:
> Fleury Marcel wrote:
> > Hello,
> > We administrate about 60 Oracle Instances.
> >
> > SYS have his password for exemple syspwd, and SYSTEM also his password
> > for exemple systempwd.
> > But we use the same on all Oracle Instances.
> >
> > So if an someone knows a password, he can use it for all Instances.
> >
> > But it is difficult to ask the DBA to use a distinct password for each
> > Instance.
> >
> > Suggestions to perform this security are welcome.
> > Or advices to remember each password
> >
> > Thank you
> >
> > Marcel
> You can carry security to its extreme, to the point where your system is
> nearly unusable. Over the years, passwords have been shown to be a
> rather "weak" protection scheme. Just type "oracle crack" in Google and
> you'll see one person's Oracle password cracker (for only US$4). You'll
> also see lots of warez or hacker sites (some in languages I can't read).
>
> However, on the other side of the coin, I use different passwords on
> each of my databases (we have about 60 also). The passwords aren't
> radically different ... just coded to the database.
>
> I don't do this because it's meant to thwart a hacker intrusion. Rather
> it's to keep me from making a "fumble-fingered" mistake. It's an extra
> mental "check" to verify to myself that I'm connecting to the correct
> database. It's probably a bad idea - I inherited it from the former DBA
> - but all our databases are named the same (RX). Having different
> passwords gives me that extra assurance that I've connected to the
> correct RX.
>
> Just a thought.
It is true that any system can be attacked. But password security is hardly the only layer Oracle provides. I have systems I have developed where I could hand you a valid user-id and password and you still couldn't get in. At least without being at the correct IP address on the correct domain using the correct front-end tool and having access to receive email at a specific address.
To implement Oracle security ... you should always consider all of the varying options and use them in concert to achieve an appropriate security level.
Daniel Morgan Received on Thu Oct 31 2002 - 11:50:05 CST
 |
 |