Re: Parameter

• From: Ray Stell <stellr@xxxxxxxxxx>
• To: Juan Carlos Reyes Pacheco <juancarlosreyesp@xxxxxxxxx>
• Date: Mon, 24 Apr 2006 22:33:51 -0400

On Mon, Apr 24, 2006 at 05:30:16PM -0400, Juan Carlos Reyes Pacheco wrote:
> I remember this was only on old releases.
> Last releases  don't need it, they are always encrypted.


It is weak encryption and oracle posted this awhile back wrt practices:
-----------------------------------------------------------------------
 Oracle Global Product Security has investigated the recent publication by 
Joshua Wright of the SANS Institute, and Carlos Cid of the
 +University of London's Royal Holloway College, entitled "An Assessment of the 
Oracle Password Hashing Algorithm." This paper
 +presents an analysis of the Oracle Database password hashing algorithm.  It 
describes potential attacks against this algorithm when
 +an attacker has access to password hash information.
 
 Oracle considers adherence to industry standard security practices the best 
way for customers to protect their database systems. In
 +particular, issues noted in the paper can be addressed through limiting 
access to password hash information, and by enforcing good
 +enterprise password policies.  Moreover, Oracle customers have authentication 
options available which avoid the issues described in
 +this paper.
 
 A MetaLink note is now available that outlines the minimum essential steps 
customers should take to mitigate potential attacks
 +against the password hashing mechanisms in the Oracle Databases. Customers 
who already follow industry standard security best
 +practices, including those who have hardened or locked down their database 
systems, may still benefit from reviewing the MetaLink
 +note.
 
 The MetaLink Doc ID is 340240.1.            
 
 http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340240.1
 
 Additional references:
 
 http://www.oracle.com/technology/deploy/security/db_security/index.html     
 
 
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf
   
--
//www.freelists.org/webpage/oracle-l

• References:
  • Parameter
    • From: Dean Paul
  • Re: Parameter
    • From: Juan Carlos Reyes Pacheco

Other related posts:

• » Parameter
• » Re: Parameter
• » Re: Parameter
• » Re: Parameter
• » Re: Parameter
• » Re: Parameter

1. Home
2. oracle-l
3. Archive
4. 04-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---