Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Secure oracle password length

Secure oracle password length

From: Maxim Anisiutkin <manisiutkin_at_grtcorp.com>
Date: 15 Feb 2002 10:31:10 -0800
Message-ID: <71ce14f2.0202151031.7db08394@posting.google.com> 





Hi,



        I just want to say that any password shorter than 7 symbols might be
insecure when its password hash (password column of sys.user$ table)
is known. In this case password can be recovered simply by
'brute-force' attack (20000 - 30000 passwords per second on any modern
PC). For instance, 6 symbol password will be recovered approximately
in 40^6 / 2*10^4 / 3600 = 57 hours.


        In my opinion this is the lack of current password hashing algorithm
now (because Oracle didn&#8217;t modify that too long). Probably, it
shouldn&#8217;t evaluate more than 1000 password hashes per second on
any processor and platform.



Thank you,


Maxim.
Received on Fri Feb 15 2002 - 12:31:10 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US