Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Exciting Oracle News :: Oracle DB Worm Code Published :: Oracle Passwords Crack in Mere Minutes

Re: Exciting Oracle News :: Oracle DB Worm Code Published :: Oracle Passwords Crack in Mere Minutes

From: Mark D Powell <Mark.Powell_at_eds.com>
Date: 4 Nov 2005 07:06:06 -0800
Message-ID: <1131116766.011457.83730@o13g2000cwo.googlegroups.com> 





The published code requires both access to a local database, that
public has not been revoked from utl_tcp as recommended (though Oracle
does grant public by default on the package), and that locally
accessable databases with unlocked default ID's exist.



There are locations this dumb, but there are probably less of them
around now than just a couple of years ago.



The ability to de-hash the password is more of a concern to me;
however, the average time to crach a password was 20 days.  If you use
longer passwords then the average time to crack becomes much longer.
Combine longer passwords with the requriement to change the password
every X days and security is much imporved.



But Oracle does need to look at this.  The problem is an improvement
here is most likely going to require that the password hash be
recalculated when the fix is put into place.



It is too bad the enterprise authentification feature is not free.



IMHO -- Mark D Powell --
Received on Fri Nov 04 2005 - 09:06:06 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US