Re: How are you authenticating you applications?

Hi Alan,

I do not know about TomKat and in apache or oracle http server the username
and passwords are available in several files.
some one who knows littlebit about these things can easily get to know the
things..
what if you restrict the host name list in sqlnet.ora

thanks..subodh

On 10 March 2011 18:37, Guillermo Alan Bort <cicciuxdba@xxxxxxxxx> wrote:

> I can see a nice DoS where someone attacks the database and locks the app
> account essentially rendering the application useless.
>
> However, I was not worried about attack, not yet at least, I was more
> worried about people "legitimately" having the password and using it even
> though they are not supposed to.
>
> thanks
> Alan.-
>
>
>
> On Thu, Mar 10, 2011 at 9:35 AM, <Joel.Patterson@xxxxxxxxxxx> wrote:
>
>>
>> If the DB locks after 10 attempts, then would you not have a chance to
>> block these brute force attack?  After all it would lock in less than a
>> second, and so nobody would go anywhere until the source is found.
>>
>> Joel Patterson
>> Database Administrator
>> 904 727-2546
>>  -----Original Message-----
>> From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Greg Rahn
>> Sent: Wednesday, March 09, 2011 6:03 PM
>> To: cicciuxdba@xxxxxxxxx
>> Cc: oracle-l-freelists
>> Subject: Re: How are you authenticating you applications?
>>
>> On Wed, Mar 9, 2011 at 11:11 AM, Guillermo Alan Bort
>> <cicciuxdba@xxxxxxxxx> wrote:
>> >    We are working on providing the hashed password, so all the non-dbas
>> get
>> > is a hash... but I don't know how strong the eencryption really is...
>> and
>> > I'd like to let my i7 have a go at cracking one and see how long it
>> takes...
>> > still, a non-human-intervention approach would be appreciated :-)
>>
>> I'm not sure what you mean by this but I would strongly suggest this
>> as a starting point:
>> http://codahale.com/how-to-safely-store-a-password/
>>
>> BTW, an i7 is nothing... just spend a week or so to learn Nvidia CUDA,
>> rent a few dozen Amazon Web Services Cluster GPU instances and you
>> will be frightened to learn how many hundreds of billions of password
>> candidates (yes billions!) you can try in a few seconds.
>> All at the hands of anyone with an AWS account.  Makes you think at
>> least twice about password security.
>>
>> --
>> Regards,
>> Greg Rahn
>> http://structureddata.org
>>  --
>> http://www.freelists.org/webpage/oracle-l
>>
>>
>>
>


-- 
==============================
DO NOT FORGET TO SMILE TODAY
==============================

Other related posts: