Pete Finnigan's Oracle database password checker

  • From: "Andre van Winssen" <dreveewee@xxxxxxxxx>
  • To: "Oracle-L Freelists" <oracle-l@xxxxxxxxxxxxx>
  • Date: Tue, 7 Oct 2008 14:41:19 +0200


Pete Finnigan released v2 of his oracle database password checker written in
plsql. It's worth running against your (SOx) production databases to find
out about weak database passwords that might put in danger Confidentiality,
Integrity and/or Availability.
Of course, if you'd use a database password verification function in your
database for all new/altered database users then weak passwords are
impossible during CREATE/ALTER USER.

The password checker can be found on Pete's webpage It works with
oracle8i/9/10g and even 11g if your users have 10g password hashes. All that
is required is a connection to the database with a database login that can
read the dictionary (eg DBSNMP). Since this is public now, anybody in your
network can run it against your databases, so you better find out  yourself
first and then take action asap if required.

 You'd be surpised to see what powerful privileges these accounts with weak
passwords might have. By abusing the privileges of these accounts one can
easily get control of the database, even when patched with the latest
critical patch update.

Kind regards,

Other related posts: