[Previous entry: "Problems with the October CPU discovered"] [Next entry: "Oracle buys two security software companies"]
Oracle responds to the password algorithm weakness paper
November 15th, 2005 by Pete
Post to del.icio.us
Post to Furl
I saw on Eddie's blog last week a post titled "Oracle Responds to the Password Hashing Algorithm Paper" which replicates an email from Oracle support refuting some of the claims in Josh and Carlos' paper. It starts with a statement that says the paper describes possible attacks when the hacker has the password hash available - This as I have said previously is the key to the weaknesses. The second paragraph suggests using industry standard practices for protecting databases. This I feel refers to password choice and also to the protection of the hashes from being accessed. The email finally points to a metalink note Doc ID is 340240.1. which details steps to protect against these types of attack.
