Learn Oracle password limitations

In this excellent summary of Oracle passwords we see an outstanding overview of Oracle password management:

http://www.red-database-security.com/whitepaper/oracle_passwords.html

The most frightening part of this Oracle password summary is the section on brute-force attacks and the value of insisting on long passwords and turning-on password disabling:

Oracle brute force attacks / Decryption

It is not possible to decrypt the hashstring but without salt it is possible to do a brute force attack. There are several Oracle brute force tools available. The tools encrypt the username/password and compare the hashkey.

If they are identical you know the password. From simple SQL based tools (300 pw/second) up to special C programs. The fastest tool calculates 700.000 passwords/second. On a Pentium 4 with 3 GHz it takes

- 17 seconds to calculate all 5-character-combinations

- 7 minutes to calculate all 6-character-combinations

- 3 hours to calculate all 7-character-combinations

The best section in this page is the technique used by Oracle DBA’s to temporarily sign-on as a user while retaining their encrypted password:

How to change an Oracle password temporarily?

In Oracle it is possible to change a password temporarily. This can be useful for DBA which act as a different user.

SQL> select username,password from dba_users where username='SCOTT';USERNAME PASSWORD-------- ----------------

SCOTT F894844C34402B67

SQL> alter user scott identified by mypassword;

Now login with the following credentials: scott/tiger

After doing your work you can change the password back by using an undocumented feature called "by values"

SQL> alter user scott identified by values 'F894844C34402B67';

For a more-detailed review of Oracle password management techniques, they have also published a nice presentation on “hardening” the password security on PC’s that access Oracle:

http://www.red-database-security.com/wp/hardening_admin_pc_us.pdf

��