Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "What Are the Default Restrictions on Oracle Passwords?"] [Next entry: "Many ways to become DBA"]

Bruce Schneier blogs about the Oracle password weakness paper

I saw this evening that Bruce Schneier has posted an entry in his blog about the paper Josh released. The post is titled "Oracle's Password Hashing". The interesting part is the comments, especially Roger's comments about the weaknesses.

My feelings on this are two fold. The first is that the real problem is that the hashes are easy to get hold of - this is the weakness. Without them brute forcing would involve brute forcing the DES keys which would be magnitudes harder. Therefore the hashes need to be secured at all costs. The second issue is that if people set long enough passwords and used the full keyspace then brute forcing of even building suitable rainbow tables would take too long. The problem is that people do not set long enough passwords or use enough of the keyspace. Interesting post though.