I just wanted to mention a good thread on my Oracle security forum titled "
Toolcrypt's orabf" again. I mentioned it a week or so ago. There has been some great testing by Marcel-Jan for timings to crack various construction and length passwords with the brute force modes. Also a good discussion on how it would be easier to crack passwords if the hash is know and also the password policy is known as a custom engine could then determine a smaller keyspace map and find passwords quicker. There are some good ideas here and also this emphasises the need to protect the password hashes at all costs. If they become known then it becomes easier to crack passwords. If the password hashes are not available then the only options available are to use connect scripts for attempting access as a particular user for the hacker. Also its important to ensure that password policies are not made public as knowledge of them could reduce the potential keyspace needed to crack a password.
Also I am speaking tomorrow at the OUG Scotland in Glasgow about Oracle security. If anyone is coming along, please come and say hello. Details can be found on the
OUG Scotland site.