Re: passwords (a bit of a rant)

From: Nuno Souto <dbvision_at_iinet.net.au>
Date: Wed, 14 Aug 2013 20:32:57 +1000
Message-ID: <520B5CD9.1090908_at_iinet.net.au>

See below

-- 
Cheers
Nuno Souto
dbvision_at_iinet.net.au

On 14/08/2013 6:09 AM, Guillermo Alan Bort wrote:

> completely unrelated words that  the crappy 7331 passwords that IT Sec

 > seems

I love to run some of the L337-speak passwords that IT spec demands 
through a password cracker.
9 times out of 10, they are the easiest to crack...

> a security feature. I often  find TOAD or SQL Developer from windows

 > machines on the OOB vlan connected to the database with the schema

 > owner of an application. This is bad, because not everybody bothers

 > checking their queries before executing them and this can lead to

 > horrible, horrible things running in the database (like a Cartesian

 > join of two multi-million-row tables). This happens when an app uses

Or worse yet: when they leave a query window open tying up half my 
parallel query service processes in an inactive cursor, thereby ensuring 
my overnight ETL will overrun...
Got a fix for it now but it nearly drove me nuts.

> Furthermore, changing  application passwords is usually very hard

 > (and more often than not it involves downtime of some sort), so if a

Try doing it on the Peoplesoft HR app server or for PSMAN and I'll 
guarantee a re-install...

> I seem to remember Oracle  supports other types of authentication

 > (other than passwords) but they don't seem to cut it.

And yet, it's the simplest thing in OS-land.  None of our ssh 
connections require a password anymore:
auth tokens are more than enough.
I think external login authentication was an attempt to make it happen, 
but I don't know of anyone using it successfully.

> What are your opinions on  oracle authentication and where it lacks?

Most of the apps we run ignore it.  They use either a generic login and 
their own login/pswd pairs, a-la Peoplesoft and Apex+LDAP.   Or a db 
login that does nothing and has nothing and a login trigger that sets 
things up properly.

> How do you handle password  management, and application, developer and

 > end user access to databases?

Where possible, I use "alter session set current_schema=schema_owner;" 
from user SYS.
If not adequate, then I snapshot the encrypted pwd into a text file, 
replace it with something I can type in less than 1 hour, login, do the 
work, then go back to SYS and replace the new pwd with the old encrypted 
one using good old "identified by values".

>

 > I haven't looked through all the 12c new features, is there anything

 > new on this area?

Unfortunately, what I hoped for didn't happen.
In a nutshell: http://dbasrus.blogspot.com.au/2011/11/wish-list-for-12c.html
Ah well: another missed opportunity for Oracle to do something actually 
useful to dbas.
Instead of blaming them for everything including global warming...

--
http://www.freelists.org/webpage/oracle-l

Received on Wed Aug 14 2013 - 12:32:57 CEST

This message: [ Message body ]
Next message: Craig Hagan: "Re: passwords (a bit of a rant)"
Previous message: Niall Litchfield: "Re: DBMS_SCHEDULER and snapshot standby"
In reply to: Guillermo Alan Bort: "passwords (a bit of a rant)"
Next in thread: Brady, Mark: "RE: passwords (a bit of a rant)"
Reply: Brady, Mark: "RE: passwords (a bit of a rant)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message