Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 51 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » November 2009 » One more point on Oracle password crackers

[Previous entry: "Update to Dennis Yurichevs FPGA cracker plus exploit code for the CPU CVSS 10.0 bug"] [Next entry: "Back from Prague and a new paper on explicit grants and roles"]

One more point on Oracle password crackers

November 2nd, 2009 by Pete

I blogged last week about Dennis Yurichev's FPGA password cracker here in a blog titled "Update to Dennis Yurichevs FPGA cracker plus exploit code for the CPU CVSS 10.0 bug" and i set off two example cracker sessions for users with passwords; one starting with AA and the other starting with ZZ:

AA 3FC24C0BFAED94B1 test 1 - SOLVED ZZHG76J time spent: 21m31s; average speed: 69M
AB 111E83722DB9BF88 test 2 - SOLVED AAGHB6G time spent: 40s; average speed: 81M

The results above are from Dennis's site. This proves my theory that if you choose a password starting with AA its cracked much faster with Dennis's cracker than one starting with ZZ. This is replicated with software based crackers cycle through possible passwords by walking the character set in the same order as the alphabet.

This is really important to remember when you create password verification and password management rules. One thing you should be doing is designing password complexity and length and also calculating password lifetimes so that if a prolonged attack is made against your passwords with a password cracker they will survive their own lifetime. This means you must consider the "flaws" (perhaps the wrong word but it will suffice for this discussion) in the passwords crackers out there. If you design a password length assuming that a password would fall in perhaps 50% of the time necessary to try all possible passwords with decent average hardware and a software based cracker then you must ensure that passwords cannot start with easier (quicker) to cracker letters or you must increase the length of the passwords. There is a downside to forcing a reduced character set for a password to counteract a password attack with password crackers - it in itself makes the password weaker and someone could modify an existing cracker source code to exploit this against your passwords - so be careful and ensure your rules are not leaked and ensure that you cover all bases.

November 2009

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!