Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Default passwords
        
(Message started by: Pete Finnigan on Apr 8th, 2013, 12:46pm)
Title: Default passwords
Post by Pete Finnigan on Apr 8th, 2013, 12:46pm
Hi,

I'm in favor to change default passwords EVEN if the account (dip, wmsys, etc) is locked. But an external dba says it is not necessary to change the password because the accounts are locked. I've argumented that there such an account could be unlocked (for some reason) and that that would cause a security issue. Do you have some other arguments to change default passwords of locked account?

regards,

Ivan
Title: Re: Default passwords
Post by Pete Finnigan on Apr 30th, 2013, 10:47am
Before discussing about active / inactive user accounts there is a "Enforcing Password Complexity Verification" rule that defines criterias a password have to fulfill at the time is set. This is not only internally DBA but you will see it everywhere, in OS or other databases. Before discussing about account status the password is breaking the rules. If there is some way attackers can get use of such account (i.e. because locking mechanisms not consistently checked internally but only at logon-time or because bugs/ or way to overpass protections) the accounts will be exposed just because someone ignored this minimal rule at the time of setting that account (password). This is covered by the old NIST CVE-2007-6260 and the advice was to change the default passwords not matter the context or when are set; even the accounts are locked, expired at the end of instance creation; DBCA was changed a bit in 10g but as mentioned in http://www.securityfocus.com/archive/1/483652 there is a timeframe the instance is vulnerable (could be enough for a trojan like attack) and the same, there is possible that accidentally unlocking to expose on issues. On the other hand, attacks which only require a existing valid account, not matter if active or not (in DoS) could experiment such accounts too. Please note that there is no warning back to DBA about the complexity of the password when a DBA is unlocking user accounts and theoretically there are no clues about the fact that for i.e. user apps_002 is having password identical with user name (because of privacy???) so a DBA is simple unlocking the user not being aware about the fact it is opening the DB for intruders. Regards, Paul B.


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board