Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Integration Promises Still Haunting Oracle"] [Next entry: "securing apache with Oracle"]

The possible complexity level of Oracle database passwords is in question

I saw a very interesting post to my Oracle security forum yesterday titled "Re: Valid characters for Oracle passwords?...". In this post it was pointed out that accented characters when lower case or upper case actually generate the same database password. In other words they are not case sensitive. I have pointed out previously that the ASCII characters are not case sensitive so when a password is chosen from the complete keyspace the number of possible characters is reduced by 26 from 256 to 230. So reducing the possible number of passwords that could be created. When I saw the post above I failed to see the significance at first. Gary pointed out my mistake in another post where he did a simple check of characters that are not case sensitive. This Gary tells us means that there are 60 such characters, leaving only 196 unique characters. Then a further post shows that in 8i at least there are only 102 distinct characters available. Whilst this does not prevent anyone from choosing complex enough passwords with enough length from this available keyspace the fact is that if a password is short enough and the true keyspace is much lower then it affects the time need to brute force a password by a big factor.

Interesting testing!