On 20/01/2014 12:11 PM, david@xxxxxxxxxxxxxxxxxxxx wrote:
The hash has never been passed over the wire - I describe in detail how authentication works in the Oracle Hacker's Handbook in Chapter 4. Here's an online copy: http://books.google.com.au/books?id=cDy2_QoQplEC&lpg=PA43&ots=5tygnUMzKQ&dq=oracle%20authentication%20process%20litchfield&pg=PA43#v=onepage&q=oracle%20authentication%20process%20litchfield&f=false
Thanks, Unfortunately, that online reference ends before the really relevant bit is shown. But the gist is: the hash is not sent online on 1521, nor the pwd. Something else is. It can be intercepted and decoded *IF* one knows which port to listen for, waiting for a "change port" and then follow on. As such, changing the initial port is a good annoyance value: it makes finding which port the real "meat" is in slightly harder to find. In these days of supercomputer-class desktops, it shouldn't be too hard, though.
I know about all the other secure authentication methods.Good luck making them work with minimal maintenance in a constantly changing user universe... Ah well, what can I say other than: it's Oracle "security": simple for hackers, a nightmare for those who have to maintain it....
-- Cheers Nuno Souto dbvision@xxxxxxxxxxxx -- //www.freelists.org/webpage/oracle-l