Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Encrypted Fields

Re: Encrypted Fields

From: Ed Prochak <ed.prochak_at_magicinterface.com>
Date: Wed, 29 Jan 2003 18:28:13 GMT
Message-ID: <3E3820A2.B03FA182@magicinterface.com> 





Bigus Dickus wrote:


> 

> Is it possible to encrypt fields at the table level in 8.1.7?

> 

> For instance, we currently have a hashing algorithm which encrypts

> passwords and then stores the hash in the password field of the user

> table.  However, the hash can be copied from user to user.  For

> instance, it is possible to create a dummy user, copy the admin's

> password into the dummy user account, copy the password from your own

> account into admin, et voila! you are able to login as admin with your

> own password.  Once you are done hacking away at the system, you simply

> swap the passwords back and delete the dummy account record from the

> table.

> 

> It seems to me that there should be something within Oracle which would

> prevent this.




It seems to me that if they hacked into the DB, there is nothing ORACLE
can do about it. You need to prevent the hacking.



 Why is a normal user able to access and modify the password table in
the first place? Remove the privileges from your users to access that
table. (Have you talked to your DBA about this???) 



--
Ed Prochak
Magic Interface, Ltd.
440-498-3700(office)
Computer consulting, database and web services.


Received on Wed Jan 29 2003 - 12:28:13 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US