Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Problems with the October CPU discovered"] [Next entry: "Oracle buys two security software companies"]

Oracle responds to the password algorithm weakness paper

I saw on Eddie's blog last week a post titled "Oracle Responds to the Password Hashing Algorithm Paper" which replicates an email from Oracle support refuting some of the claims in Josh and Carlos' paper. It starts with a statement that says the paper describes possible attacks when the hacker has the password hash available - This as I have said previously is the key to the weaknesses. The second paragraph suggests using industry standard practices for protecting databases. This I feel refers to password choice and also to the protection of the hashes from being accessed. The email finally points to a metalink note Doc ID is 340240.1. which details steps to protect against these types of attack.