Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "An interesting case of information disclosure"] [Next entry: "Michael Singer of Intenet News talks about Oracles new patch schedule"]

Slight update to the default password check scripts



I have just made a small change to the default password checker scripts after a good point was made by Ian on the LazyDba mailing list. He suggested that the user used for the checks, ORAPROBE, should be creatable with a password from the full character set, e.g. it should be possible to create the password encased in quotes. Without this passwords are limited to the ASCII characters, digits and "#_$" characters. So I have added quotes to the create scripts so you can and should create more secure passwords that include characters not in the standard set used for non quoted passwords. This makes it much harder to crack the passwords.

You could have simply passed a password with quote characters, e.g. "p3ss%%w*d" when promoted to in the old script but that meant you needed to remember to do this. Adding quotes in the install scripts makes it easier.

I should point out that the user ORAPROBE is also included in the default_password_list anyway with a password of ORAPROBE.

I have also updated the tools page to include links to the tool.