Re: Adding some random characters to Oracle password

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Fri, 29 Oct 2004 05:48:20 +1000
Message-Id: <41814cf2$0$32574$afc38c87@news.optusnet.com.au>

Alan wrote:

>
> "Howard J. Rogers" <hjr_at_dizwell.com> wrote in message
> news:4181460a$0$21982$afc38c87_at_news.optusnet.com.au...

>> Alan wrote:
>> [snip]
>>
>> >>
>> >> Scalability is just one concern. What happens if the secret ID and
>> > password
>> >> ever get discovered?
>> >
>> > It can't get discovered because it is hard-coded and compiled into the
>> > app. Source code is secured.
>>
>> Oh dear. I kind of knew you'd say that.
>>
>> And no-one could take your application and reverse engineer it? No-one

> could

>> torture your developers (now there's a thought) to discover what it is?
>> No-one could packet sniff your network to discover what is being sent?
>>
>> "It can't get discovered" is a *huge* claim to make.

>
> Well, you need to know the situation here. Of course the extreme measures
> you described could be used (and the torture part is fine with me), but
> the application involved isn't worth the effort. It just needs to be
> secured internally, to prevent sales offices from seeing each other's
> information. And, to be truthful, it's not exactly as I stated- it is far
> less secure, but that was not my decision, nor is it my problem. Without
> going into details, I'll just say that the user id and password can be
> found, if you know where to look. And, no, I don't build my applications
> that way- this was done by a former regime, but management is happy with
> it. I posted this method to indicate that there are alternatives,
> depending on your situation. This all reminds me of a Dilbert cartoon I
> saw yesterday:
>
> Boss: Tell me again what the issue is.
>
> Dilbert: Do you want the simple but misleading explanation or the one you
> won't understand?
>
> Boss: Either one is good; I wasn't planning on listening.
>
>
> Now you can understand how we got to this security implementation.

LOL! Cheered me up no end!

I'm not having a go at you, Alan. I try and talk generalities when the thread gets like this. In *general*, and I suspect you agree with it, this sort of approach is not very secure. Good enough for many? Probably. But fairly easily broken "if you know where to look"? Absolutely.

And in the context of the original post, there are therefore better, more reliable ways of locking things down, which Oracle provides more-or-less with the product, and which don't rely on not knowing where to look.

Overkill for a 10MB test database? Of course. Perhaps of use to the OP. Possibly.

Regards
HJR Received on Thu Oct 28 2004 - 14:48:20 CDT