RE: How are you authenticating you applications?

• From: <Joel.Patterson@xxxxxxxxxxx>
• To: <cicciuxdba@xxxxxxxxx>
• Date: Thu, 10 Mar 2011 09:15:40 -0500

Yes, we digressed.

Or having there own accounts yet use ad hoc tools such as excel, access, and/or 
Cartesian products.  :)


Joel Patterson
Database Administrator
904 727-2546

________________________________
From: alanbort@xxxxxxxxx [mailto:alanbort@xxxxxxxxx] On Behalf Of Guillermo 
Alan Bort
Sent: Thursday, March 10, 2011 8:08 AM
To: Patterson, Joel
Cc: greg@xxxxxxxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: Re: How are you authenticating you applications?

I can see a nice DoS where someone attacks the database and locks the app 
account essentially rendering the application useless.

However, I was not worried about attack, not yet at least, I was more worried 
about people "legitimately" having the password and using it even though they 
are not supposed to.

thanks
Alan.-

On Thu, Mar 10, 2011 at 9:35 AM, 
<Joel.Patterson@xxxxxxxxxxx<mailto:Joel.Patterson@xxxxxxxxxxx>> wrote:

If the DB locks after 10 attempts, then would you not have a chance to block 
these brute force attack?  After all it would lock in less than a second, and 
so nobody would go anywhere until the source is found.

Joel Patterson
Database Administrator
904 727-2546
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx> 
[mailto:oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Greg Rahn
Sent: Wednesday, March 09, 2011 6:03 PM
To: cicciuxdba@xxxxxxxxx<mailto:cicciuxdba@xxxxxxxxx>
Cc: oracle-l-freelists
Subject: Re: How are you authenticating you applications?

On Wed, Mar 9, 2011 at 11:11 AM, Guillermo Alan Bort
<cicciuxdba@xxxxxxxxx<mailto:cicciuxdba@xxxxxxxxx>> wrote:
>    We are working on providing the hashed password, so all the non-dbas get
> is a hash... but I don't know how strong the eencryption really is... and
> I'd like to let my i7 have a go at cracking one and see how long it takes...
> still, a non-human-intervention approach would be appreciated :-)

I'm not sure what you mean by this but I would strongly suggest this
as a starting point:
http://codahale.com/how-to-safely-store-a-password/

BTW, an i7 is nothing... just spend a week or so to learn Nvidia CUDA,
rent a few dozen Amazon Web Services Cluster GPU instances and you
will be frightened to learn how many hundreds of billions of password
candidates (yes billions!) you can try in a few seconds.
All at the hands of anyone with an AWS account.  Makes you think at
least twice about password security.

--
Regards,
Greg Rahn
http://structureddata.org
--
//www.freelists.org/webpage/oracle-l

• References:
  • Re: How are you authenticating you applications?
    • From: Guillermo Alan Bort

Other related posts:

• » How are you authenticating you applications?- Guillermo Alan Bort
• » Re: How are you authenticating you applications?- dbvision@xxxxxxxxxxxx
• » Re: How are you authenticating you applications?- Greg Rahn
• » RE: How are you authenticating you applications?- Joel.Patterson
• » Re: How are you authenticating you applications?- Guillermo Alan Bort
• » RE: How are you authenticating you applications? - Joel.Patterson
• » Re: How are you authenticating you applications?- Subodh Deshpande
• » Re: How are you authenticating you applications?- Niall Litchfield

1. Home
2. oracle-l
3. Archive
4. 03-2011

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---