Re: Parameter

From: Ray Stell <stellr_at_cns.vt.edu>
Date: Mon, 24 Apr 2006 22:33:51 -0400
Message-ID: <20060425023351.GB5247@cns.vt.edu>

On Mon, Apr 24, 2006 at 05:30:16PM -0400, Juan Carlos Reyes Pacheco wrote: > I remember this was only on old releases. > Last releases don't need it, they are always encrypted.

It is weak encryption and oracle posted this awhile back wrt practices:

Oracle Global Product Security has investigated the recent publication by Joshua Wright of the SANS Institute, and Carlos Cid of the
+University of London's Royal Holloway College, entitled "An Assessment of the Oracle Password Hashing Algorithm." This paper
+presents an analysis of the Oracle Database password hashing algorithm. It describes potential attacks against this algorithm when
+an attacker has access to password hash information.

Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. In
+particular, issues noted in the paper can be addressed through limiting access to password hash information, and by enforcing good
+enterprise password policies. Moreover, Oracle customers have authentication options available which avoid the issues described in
+this paper.

A MetaLink note is now available that outlines the minimum essential steps customers should take to mitigate potential attacks
+against the password hashing mechanisms in the Oracle Databases. Customers who already follow industry standard security best
+practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink
+note.

The MetaLink Doc ID is 340240.1.

http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340240.1

Additional references:

http://www.oracle.com/technology/deploy/security/db_security/index.html

http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf

--
http://www.freelists.org/webpage/oracle-l

Received on Mon Apr 24 2006 - 21:33:51 CDT