Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Secure oracle password length

Secure oracle password length

From: Maxim Anisiutkin <manisiutkin_at_grtcorp.com>
Date: 15 Feb 2002 10:31:10 -0800
Message-ID: <71ce14f2.0202151031.7db08394@posting.google.com>


Hi,

        I just want to say that any password shorter than 7 symbols might be insecure when its password hash (password column of sys.user$ table) is known. In this case password can be recovered simply by 'brute-force' attack (20000 - 30000 passwords per second on any modern PC). For instance, 6 symbol password will be recovered approximately in 40^6 / 2*10^4 / 3600 = 57 hours.

        In my opinion this is the lack of current password hashing algorithm now (because Oracle didn&#8217;t modify that too long). Probably, it shouldn&#8217;t evaluate more than 1000 password hashes per second on any processor and platform.

Thank you,
Maxim. Received on Fri Feb 15 2002 - 12:31:10 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US