[Previous entry: "What Are the Default Restrictions on Oracle Passwords?"] [Next entry: "Many ways to become DBA"]
Bruce Schneier blogs about the Oracle password weakness paper
November 8th, 2005 by Pete
Post to del.icio.us
Post to Furl
I saw this evening that Bruce Schneier has posted an entry in his blog about the paper Josh released. The post is titled "Oracle's Password Hashing". The interesting part is the comments, especially Roger's comments about the weaknesses.
My feelings on this are two fold. The first is that the real problem is that the hashes are easy to get hold of - this is the weakness. Without them brute forcing would involve brute forcing the DES keys which would be magnitudes harder. Therefore the hashes need to be secured at all costs. The second issue is that if people set long enough passwords and used the full keyspace then brute forcing of even building suitable rainbow tables would take too long. The problem is that people do not set long enough passwords or use enough of the keyspace. Interesting post though.
