Educause Security Discussion mailing list archives
Re: Complex passwords and Oracle
From: Randy Marchany <marchany () VT EDU>
Date: Mon, 15 Sep 2008 14:06:30 -0400
Google "oracle password weakness" and you'll get a number of papers describing problems with Oracle's password algorithm. It's supposedly fixed with the latest versions of Oracle or if you get their Security Package. Older versions of Oracle converted your password to uppercase among other things. Check out http://www.sans.org/rr/special/index.php?id=oracle_pass. THis is the 2005 paper that describes the problems with 'earlier' versions of Oracle. It's pretty depressing from a security standpoint. Oracle has corrected the problems in later versions but this should have never happened in the first place. The general point of this is that your password strength rules may be undercut by vendor password restrictions. You need to examine all of your vendor password requirements to come up with a workable lowest common denominator. -Randy Marchany VA Tech IT Security Office
Current thread:
- Complex passwords and Oracle Geoffrey S. Nathan (Sep 15)
- <Possible follow-ups>
- Re: Complex passwords and Oracle Randy Marchany (Sep 15)