On Mon, Apr 24, 2006 at 05:30:16PM -0400, Juan Carlos Reyes Pacheco wrote: > I remember this was only on old releases. > Last releases don't need it, they are always encrypted. It is weak encryption and oracle posted this awhile back wrt practices: ----------------------------------------------------------------------- Oracle Global Product Security has investigated the recent publication by Joshua Wright of the SANS Institute, and Carlos Cid of the +University of London's Royal Holloway College, entitled "An Assessment of the Oracle Password Hashing Algorithm." This paper +presents an analysis of the Oracle Database password hashing algorithm. It describes potential attacks against this algorithm when +an attacker has access to password hash information. Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. In +particular, issues noted in the paper can be addressed through limiting access to password hash information, and by enforcing good +enterprise password policies. Moreover, Oracle customers have authentication options available which avoid the issues described in +this paper. A MetaLink note is now available that outlines the minimum essential steps customers should take to mitigate potential attacks +against the password hashing mechanisms in the Oracle Databases. Customers who already follow industry standard security best +practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink +note. The MetaLink Doc ID is 340240.1. http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340240.1 Additional references: http://www.oracle.com/technology/deploy/security/db_security/index.html http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf -- //www.freelists.org/webpage/oracle-l