Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Tom talks about encrypting passwords in the database"] [Next entry: "Alternate URL for Yong's site"]

A very good paper about weaknesses in password security



I mentioned the Security paper repository website SecurityDocs.com last night in my post "A repository of security papers - SecurityDocs.com". I was searching the site a bit last night and found a good paper written by Paul Gurgul on 16 Nov 2004 called "Exploits & Weaknesses in Password Security" so I downloaded the paper and read through it.

This is a very thorough look at passwords, their use, hacking, cracking and auditing. It even covers social engineering, Trojan horses, and network sniffing, even electromagnetic eves dropping. It then goes onto discuss ideas for improving reusable passwords, the authentication using authentication servers covering third party authentication and then a primer on cryptography with quite an in depth look at Kerberos then to X509 certificates.

The paper winds up with one time passwords instead of reusable passwords and a discussion on strong authentication, one time passwords and one time pads, two factor authentication and ACE servers. The paper ends with a discussion or challenge response authentication to make I&A stronger and also the need for Intrusion Detection and also Biometrics.

This is a superb paper and very very thorough. It is well worth reading even though its not Oracle specific it talks about issues and features used by Oracle authentication and password management and also covers some of the ASO features and functions such as kerberos and X509. Great paper!