Pete Finnigan's Oracle Security Weblog

I was searching google for information about the INDENTIFIED BY VALUES clause of the ALTER USER statement and found quite a nice article about Oracle password strength, cracking and protection. The paper is called Connecting with Oracle: The Password Game by Steve Callan.

The paper is quite concise but says the right things with some good examples. I have seen all of this before in various places but this article sums up the issue of password complexity quite well. Steve starts by showing how passwords are stored and created and how trace will not reveal the password as it’s created. This is not quite true up to 9.2.0.3 and depending on the trace used. I wrote a short paper a long time ago that discussed how to extract passwords from the library cache. It was called "Revealing clear text passwords from the SGA". Also recently I have shown how Oracle passwords can be extracted from the network in a short paper called "Passwords transmitted in clear text on SQL*Net". Anyway that was a digression. Steve then goes on to talk about password crackers and recommends Bear Dangs tool which is SQL based. There is a link to it on my Oracle security tools page. Steve completes the paper with a discussion on using the Oracle password complexity function that can be attached to a user’s profile. He also gives some examples of some invalid passwords and makes a very good point about comparing your idea of password complexity with that of your users. Steve also says that this is part one of a two part paper, I will watch out for the second part.