Nice paper on checking Oracle password strength and enforcing it
The paper is quite concise but says the right things with some good examples. I have seen all of this before in various places but this article sums up the issue of password complexity quite well. Steve starts by showing how passwords are stored and created and how trace will not reveal the password as itís created. This is not quite true up to 18.104.22.168 and depending on the trace used. I wrote a short paper a long time ago that discussed how to extract passwords from the library cache. It was called "Revealing clear text passwords from the SGA". Also recently I have shown how Oracle passwords can be extracted from the network in a short paper called "Passwords transmitted in clear text on SQL*Net". Anyway that was a digression. Steve then goes on to talk about password crackers and recommends Bear Dangs tool which is SQL based. There is a link to it on my Oracle security tools page. Steve completes the paper with a discussion on using the Oracle password complexity function that can be attached to a userís profile. He also gives some examples of some invalid passwords and makes a very good point about comparing your idea of password complexity with that of your users. Steve also says that this is part one of a two part paper, I will watch out for the second part.