| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Adding some random characters to Oracle password
Jeff wrote:
> In article <4180058e$0$32547$afc38c87_at_news.optusnet.com.au>, "Howard J.
> Rogers" <hjr_at_dizwell.com> wrote:
>
>>Scalability is just one concern. What happens if the secret ID and >>password ever get discovered?
But that is the point about row level security (or the 9i secure application role stuff that Pete was talking about). With either, there is no password to discover. There are a series of tests (such as: what application are you using, what is your IP address, what user 'token' got placed in the application context when you logged on) to pass, and you either pass them or you don't. Packet sniff all you want, or stick lighted matches under the finger nails of the DBA, it isn't going to help you. Even if s/he tells you what those tests are, you will have to go to the effort of somehow faking a correct response to all of them.
Passwords, however, are very binary: once I know what it is, I can hack in via unauthorised channels, supply the password, and I'm away, no further questions asked.
Embedded "secret" passwords, in short, and lest I be too subtle, are a hopeless way of locking down anything.
Regards
HJR
Received on Thu Oct 28 2004 - 14:16:40 CDT
 |
 |