Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "10gR2 the CONNECT role has finally been sanitized"] [Next entry: "slashdot discussion about Mary Ann Davidsons recent news article"]

Joshua Wright has provided a free tool to check Oracle accounts for common passwords

Josh Wright who normally teaches the SECURITY 509: Securing Oracle that I wrote for SANS has written a useful tool called hashattack. This is a set of simple scripts that pre-computes the password hashes for a particular Oracle user such as SYS or SYSTEM. The scripts use a dictionary (you can provide your own) to pre-compute the hashes for a large list of possible passwords. You then can use the database table of password/hash combinations to check if the current password is set to a dictionary word. The list can then be used to check the password for the same user in any number of databases. So whilst it is time consuming to create the hash list once created it can be re0used to great effect.

I have added details of the tool on my Oracle security tools page and extra description there.