[Previous entry: "A couple of papers by Mladen Gogala"] [Next entry: "OUG Scotland"]
Good thread on Oracle brute force password cracking and OUG Scotland
October 3rd, 2005 by Pete
Post to del.icio.us
Post to Furl
I just wanted to mention a good thread on my Oracle security forum titled "Toolcrypt's orabf" again. I mentioned it a week or so ago. There has been some great testing by Marcel-Jan for timings to crack various construction and length passwords with the brute force modes. Also a good discussion on how it would be easier to crack passwords if the hash is know and also the password policy is known as a custom engine could then determine a smaller keyspace map and find passwords quicker. There are some good ideas here and also this emphasises the need to protect the password hashes at all costs. If they become known then it becomes easier to crack passwords. If the password hashes are not available then the only options available are to use connect scripts for attempting access as a particular user for the hacker. Also its important to ensure that password policies are not made public as knowledge of them could reduce the potential keyspace needed to crack a password.
Also I am speaking tomorrow at the OUG Scotland in Glasgow about Oracle security. If anyone is coming along, please come and say hello. Details can be found on the OUG Scotland site.
