RE: Oracle password dictionary


Extproc is full of exploits itself. 

If you cannot enforce enough password strength checking in plsql
(password_verify_function) then why not use a stored procedure that calls
some java class that sticks to all your business rules for this purpose?

Regards,
Andre v Winssen



-----Oorspronkelijk bericht-----
Van: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]
Namens Reidy, Ron
Verzonden: woensdag 15 juni 2005 17:53
Aan: thomas_arnezeder@xxxxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Onderwerp: RE: Oracle password dictionary

Yes.  You can put a dictionary into the DB and then query against it.

We are using a extproc library callout to the cracklib library to =
enforce password strength.

-----------------
Ron Reidy
Lead DBA
Array BioPharma, Inc.


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of
thomas_arnezeder@xxxxxxxxxxxxxxx
Sent: Wednesday, June 15, 2005 9:48 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Oracle password dictionary


Got a question about password strength. It's possible to enforce the =
complexity of a password in the password_verify_function. But is there a =
way to check an oracle pw against a dictionary at the time the pw gets =
changed (and perhaps reject the new pw)? On UX you have the ckpw tool =
where you can check against a pw dictionary.
=20
Thanks,
Thomas
--
http://www.freelists.org/webpage/oracle-l

This electronic message transmission is a PRIVATE communication which =
contains
information which may be confidential or privileged. The information is =
intended=20
to be for the use of the individual or entity named above. If you are =
not the=20
intended recipient, please be aware that any disclosure, copying, =
distribution=20
or use of the contents of this information is prohibited. Please notify =
the
sender  of the delivery error by replying to this message, or notify us =
by
telephone (877-633-2436, ext. 0), and then delete it from your system.

--
http://www.freelists.org/webpage/oracle-l

--
http://www.freelists.org/webpage/oracle-l

Other related posts: