Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
![]() |
![]() |
Home -> Community -> Usenet -> c.d.o.server -> Secure oracle password length
Hi,
I just want to say that any password shorter than 7 symbols might be insecure when its password hash (password column of sys.user$ table) is known. In this case password can be recovered simply by 'brute-force' attack (20000 - 30000 passwords per second on any modern PC). For instance, 6 symbol password will be recovered approximately in 40^6 / 2*10^4 / 3600 = 57 hours.
In my opinion this is the lack of current password hashing algorithm now (because Oracle didn’t modify that too long). Probably, it shouldn’t evaluate more than 1000 password hashes per second on any processor and platform.
Thank you,
Maxim.
Received on Fri Feb 15 2002 - 12:31:10 CST
![]() |
![]() |