Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A couple of papers by Mladen Gogala"] [Next entry: "OUG Scotland"]

Good thread on Oracle brute force password cracking and OUG Scotland



I just wanted to mention a good thread on my Oracle security forum titled "Toolcrypt's orabf" again. I mentioned it a week or so ago. There has been some great testing by Marcel-Jan for timings to crack various construction and length passwords with the brute force modes. Also a good discussion on how it would be easier to crack passwords if the hash is know and also the password policy is known as a custom engine could then determine a smaller keyspace map and find passwords quicker. There are some good ideas here and also this emphasises the need to protect the password hashes at all costs. If they become known then it becomes easier to crack passwords. If the password hashes are not available then the only options available are to use connect scripts for attempting access as a particular user for the hacker. Also its important to ensure that password policies are not made public as knowledge of them could reduce the potential keyspace needed to crack a password.

Also I am speaking tomorrow at the OUG Scotland in Glasgow about Oracle security. If anyone is coming along, please come and say hello. Details can be found on the OUG Scotland site.