I can see a nice DoS where someone attacks the database and locks the app account essentially rendering the application useless. However, I was not worried about attack, not yet at least, I was more worried about people "legitimately" having the password and using it even though they are not supposed to. thanks Alan.- On Thu, Mar 10, 2011 at 9:35 AM, <Joel.Patterson@xxxxxxxxxxx> wrote: > > If the DB locks after 10 attempts, then would you not have a chance to > block these brute force attack? After all it would lock in less than a > second, and so nobody would go anywhere until the source is found. > > Joel Patterson > Database Administrator > 904 727-2546 > -----Original Message----- > From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] > On Behalf Of Greg Rahn > Sent: Wednesday, March 09, 2011 6:03 PM > To: cicciuxdba@xxxxxxxxx > Cc: oracle-l-freelists > Subject: Re: How are you authenticating you applications? > > On Wed, Mar 9, 2011 at 11:11 AM, Guillermo Alan Bort > <cicciuxdba@xxxxxxxxx> wrote: > > We are working on providing the hashed password, so all the non-dbas > get > > is a hash... but I don't know how strong the eencryption really is... and > > I'd like to let my i7 have a go at cracking one and see how long it > takes... > > still, a non-human-intervention approach would be appreciated :-) > > I'm not sure what you mean by this but I would strongly suggest this > as a starting point: > http://codahale.com/how-to-safely-store-a-password/ > > BTW, an i7 is nothing... just spend a week or so to learn Nvidia CUDA, > rent a few dozen Amazon Web Services Cluster GPU instances and you > will be frightened to learn how many hundreds of billions of password > candidates (yes billions!) you can try in a few seconds. > All at the hands of anyone with an AWS account. Makes you think at > least twice about password security. > > -- > Regards, > Greg Rahn > http://structureddata.org > -- > //www.freelists.org/webpage/oracle-l > > >