Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle network authentication encryption?

Re: Oracle network authentication encryption?

From: Maxim Demenko <mdemenko_at_arcor.de>
Date: Mon, 14 Nov 2005 16:50:14 +0100
Message-ID: <4378b27e$0$7435$9b4e6d93@newsread4.arcor-online.net> 





Mark D Powell schrieb:


> Jeroen, it isn't the logon encryption that has been questioned recently

> so much as the password hash that Oracle generates and stores in the

> DB.  It does not do you a lot of good to encrypt the logon id and

> password passed over the network if the password hash stored in the

> database can be easily broken.

> 

> There was an article published that criticized the password hash used

> by Oracle as being week and demostrating how easy it is to generate a

> list of all possible passwords for a set size password.  Because Oracle

> converts lower case to upper Oracle loses about half of the available

> hash values.  The average was around 20 days to crach a password.

> Requiring all passwords to be long greatly increases this average time

> necessary to break the hash.  Requiring all passwords to be changed in

> less than the average time to crack would also be wise.  Use of single

> sign-on or LDAP based sign-on security would completely bypass this

> issue.

> 

> You can probably find a link or two to the issue on Pete Finnigan's

> site

> http://www.petefinnigan.com

> Pete sort of specializes in security related issues

> 

> HTH -- Mark D Powell --

> 




It might be interesting to add, that in Roger's comment on Bruce 
Schneier Blog on this subject ( 


http://www.schneier.com/blog/archives/2005/11/oracles_passwor.html ) - 
and Pete Finnegan picked this as well - is clearly stated , the 
uppercase used by Oracle to generate hashes  does not necessarily means 
weakness of algorithms being used.



<quote>


For example, the authors note that they were able to enumerate all 8 
character alphanumeric passwords in 39 days. Okay, a bit faster than I 
expected buuuut... we have long considered 8 character alphanumeric 
passwords to be the absolute lowest common denominator for password 
security. Adding in punctuation as well would already increase this to 
21 years! Or keeping to alphanumeric but requiring a ten character 
password, would push it out to 140 years. Or do both, and even with a 
1000 host zombie network it will take more than a century.
</quote>



The main problem seems to be not the Oracle hashing algorithm itself, 
but the fact, that many sites doesn't implement the simpliest things to 
make the passwords secure and don't prevent unauthorized access to 
hashed passwords stored in the database.



Best regards



Maxim
Received on Mon Nov 14 2005 - 09:50:14 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US