Yes, we digressed. Or having there own accounts yet use ad hoc tools such as excel, access, and/or Cartesian products. :) Joel Patterson Database Administrator 904 727-2546 ________________________________ From: alanbort@xxxxxxxxx [mailto:alanbort@xxxxxxxxx] On Behalf Of Guillermo Alan Bort Sent: Thursday, March 10, 2011 8:08 AM To: Patterson, Joel Cc: greg@xxxxxxxxxxxxxxxxxx; oracle-l@xxxxxxxxxxxxx Subject: Re: How are you authenticating you applications? I can see a nice DoS where someone attacks the database and locks the app account essentially rendering the application useless. However, I was not worried about attack, not yet at least, I was more worried about people "legitimately" having the password and using it even though they are not supposed to. thanks Alan.- On Thu, Mar 10, 2011 at 9:35 AM, <Joel.Patterson@xxxxxxxxxxx<mailto:Joel.Patterson@xxxxxxxxxxx>> wrote: If the DB locks after 10 attempts, then would you not have a chance to block these brute force attack? After all it would lock in less than a second, and so nobody would go anywhere until the source is found. Joel Patterson Database Administrator 904 727-2546 -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx> [mailto:oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>] On Behalf Of Greg Rahn Sent: Wednesday, March 09, 2011 6:03 PM To: cicciuxdba@xxxxxxxxx<mailto:cicciuxdba@xxxxxxxxx> Cc: oracle-l-freelists Subject: Re: How are you authenticating you applications? On Wed, Mar 9, 2011 at 11:11 AM, Guillermo Alan Bort <cicciuxdba@xxxxxxxxx<mailto:cicciuxdba@xxxxxxxxx>> wrote: > We are working on providing the hashed password, so all the non-dbas get > is a hash... but I don't know how strong the eencryption really is... and > I'd like to let my i7 have a go at cracking one and see how long it takes... > still, a non-human-intervention approach would be appreciated :-) I'm not sure what you mean by this but I would strongly suggest this as a starting point: http://codahale.com/how-to-safely-store-a-password/ BTW, an i7 is nothing... just spend a week or so to learn Nvidia CUDA, rent a few dozen Amazon Web Services Cluster GPU instances and you will be frightened to learn how many hundreds of billions of password candidates (yes billions!) you can try in a few seconds. All at the hands of anyone with an AWS account. Makes you think at least twice about password security. -- Regards, Greg Rahn http://structureddata.org -- //www.freelists.org/webpage/oracle-l