This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Database & Database Oracle Oracle Password HASH algorithm evaluation
View: 12586|Reply: 0

[Communication] Oracle Password HASH algorithm evaluation

[Copy link]
Posted on 1/24/2015 1:44:38 PM | | |

Received an email notification today. Oracle responded to a recent security paper, An Assessment of the Oracle Password Hashing Algorithm. The authors of this paper that caused trouble for Oracle are Joshua Wright of SANS and Carlos Cid. SANS of Royal Holloway College in London has a lot of influence in the field of security. Oracle also had to have a headache. There are three main safety issues mentioned in the paper:

Weak password "salt" If one user's name is Crack, the password is password, and the other user is Crac, and the password is kpassword, you can find out by checking the data dictionary that the password is actually the same! Because Oracle processes the entire string of usernames plus passwords before hashing (in our case, the username and password are the same string), which creates instability in passwords.
Passwords are not case-sensitive, which is not a discovery. Oracle passwords have always been case-insensitive. However, this time it is raised together with other questions from Oracle, which has a little weight. Enterprise User Security passwords with Oracle 10g applied are case-sensitive.
Weak hash algorithm. This part of the information can refer to the Oracle password encryption method I introduced before. Because of the fragility of the algorithm, the possibility of being cracked by offline dictionaries is greatly increased.

The two authors also mentioned relevant prevention methods in the paper. Combine the recommendations on Oracle Metalink. A simple summary is as follows:

Control user permissions for web apps.
Restrict access to Password hashes information. The SELECT ANY DICTIONARY permission should be carefully controlled
Select action for auditing on DBA_USERS view
Encrypt TNS transmission content
Increase the password length (at least 12 digits). Apply password expiration policy. Passwords should be alphanumeric and mixed to increase complexity, etc.




Previous:Oracle
Next:Oracle Remote Connect DB Configuration connection command

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com