Pete Finnigan's Oracle Security Weblog

I mentioned the Security paper repository website SecurityDocs.com last night in my post "A repository of security papers - SecurityDocs.com". I was searching the site a bit last night and found a good paper written by Paul Gurgul on 16 Nov 2004 called "Exploits & Weaknesses in Password Security" so I downloaded the paper and read through it.

This is a very thorough look at passwords, their use, hacking, cracking and auditing. It even covers social engineering, Trojan horses, and network sniffing, even electromagnetic eves dropping. It then goes onto discuss ideas for improving reusable passwords, the authentication using authentication servers covering third party authentication and then a primer on cryptography with quite an in depth look at Kerberos then to X509 certificates.

The paper winds up with one time passwords instead of reusable passwords and a discussion on strong authentication, one time passwords and one time pads, two factor authentication and ACE servers. The paper ends with a discussion or challenge response authentication to make I&A stronger and also the need for Intrusion Detection and also Biometrics.

This is a superb paper and very very thorough. It is well worth reading even though its not Oracle specific it talks about issues and features used by Oracle authentication and password management and also covers some of the ASO features and functions such as kerberos and X509. Great paper!