Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle network authentication encryption?

Re: Oracle network authentication encryption?

From: Mark D Powell <Mark.Powell_at_eds.com>
Date: 14 Nov 2005 06:23:11 -0800
Message-ID: <1131978191.833583.139260@f14g2000cwb.googlegroups.com> 





Jeroen, it isn't the logon encryption that has been questioned recently
so much as the password hash that Oracle generates and stores in the
DB.  It does not do you a lot of good to encrypt the logon id and
password passed over the network if the password hash stored in the
database can be easily broken.



There was an article published that criticized the password hash used
by Oracle as being week and demostrating how easy it is to generate a
list of all possible passwords for a set size password.  Because Oracle
converts lower case to upper Oracle loses about half of the available
hash values.  The average was around 20 days to crach a password.
Requiring all passwords to be long greatly increases this average time
necessary to break the hash.  Requiring all passwords to be changed in
less than the average time to crack would also be wise.  Use of single
sign-on or LDAP based sign-on security would completely bypass this
issue.



You can probably find a link or two to the issue on Pete Finnigan's
site


http://www.petefinnigan.com


Pete sort of specializes in security related issues



HTH -- Mark D Powell --
Received on Mon Nov 14 2005 - 08:23:11 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US