Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A new book "Cryptography in the Database: The Last Line of Defense""] [Next entry: "Oracle Combines Its Identity Management Offerings"]

Some more thoughts on the weakness of Oracle database passwords

If you use a simple password with the Oracle database that uses just ASCII character and maybe some digits but is of a short length. This type of password is weak because it can be brute forced using a password cracker such as orabf. Similarly a password that is weak because it is a dictionary word can also be cracked using the same tool and a dictionary file. The common ways to increase the strength of an Oracle database password is to use a longer password that is so long that a brute force cracker cannot crack the password in a satisfactorily short time. Obviously another way t have a strong password is to not use a dictionary word. A further way to create harder to crack passwords is to use a bigger keyspace and to use more different character types from that keyspace. This allows you to have slightly shorter passwords as a brute force cracker would need to loop through a larger number of characters to test each possible password for a given password length. The sronger passwords should use the normal Oracle object naming conventions. i.e. use ASCII characters, digits and the special characters "_$#". Remember to only start the password with an ASCII character. This is not the best solution though; if the password is wrapped in quotes then the full keyspace can be used. This is what I talked about the other day. It has always been known that the characters for an Oracle password (and object name) are not case sensitive and therefore we always assumed that the total keyspace available would be 256 - 26 = 230. Then when i talked about this the other day we now know that this is not the case. The keyspace is much smaller because other characters are repeated. A post said that for 8i the keyspace is only 108 characters. There was an additional post titled "Re: Valid characters for Oracle passwords?..." by Laurent that shows a great experiment with an Uppercase c-cedille and how this is the same actual character as lower case c-cedille, Uppercase c-cedille and a lower case "g". Now today Jeff Kayser has made a great post on my Oracle security forum. He has detailed some tests on 10gR1 on Sun Solaris 8. he has found that only ASCII characters are acceptable, characters in the range 0 - 127. He finds that if you use other characters you get an ORA-01040 error. NULL and double quotes are not allowed. Therefore a possible 128 characters reduced to 126, then disallow the upper / lower case issue and you end up with 100 possible characters.

Jeff has created a small PL/SQL program that tests all the possible characters and shows for a one character password that his theory holds. As Jeff points out this may be platform specific and he also challenges others to find any more possible characters.

The bottom line is that there are still 100 possible characters for passwords that use the full keyspace so carefully chosen passwords can still be used that cannot be cracked but if people do not realise that the keyspace contains a lot of duplicates then passwords and only 100 possible characters, not 256 characters then a password that is thought to be strong may not actually be so strong. Be careful with password choices!