RE: passwords (a bit of a rant)
- From: "Brady, Mark" <mbrady@xxxxxxxxxxxxxxxx>
- To: "dbvision@xxxxxxxxxxxx" <dbvision@xxxxxxxxxxxx>, "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
- Date: Thu, 15 Aug 2013 11:46:47 -0400
> Got a fix for it now but it nearly drove me nuts.
Can you share that? Was it a technical fix or an HR fix?
;-)
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On
Behalf Of Nuno Souto
Sent: Wednesday, August 14, 2013 6:33 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: passwords (a bit of a rant)
See below
--
Cheers
Nuno Souto
dbvision@xxxxxxxxxxxx
On 14/08/2013 6:09 AM, Guillermo Alan Bort wrote:
> completely unrelated words that the crappy 7331 passwords that IT Sec
> seems
I love to run some of the L337-speak passwords that IT spec demands
through a password cracker.
9 times out of 10, they are the easiest to crack...
> a security feature. I often find TOAD or SQL Developer from windows
> machines on the OOB vlan connected to the database with the schema
> owner of an application. This is bad, because not everybody bothers
> checking their queries before executing them and this can lead to
> horrible, horrible things running in the database (like a Cartesian
> join of two multi-million-row tables). This happens when an app uses
Or worse yet: when they leave a query window open tying up half my
parallel query service processes in an inactive cursor, thereby ensuring
my overnight ETL will overrun...
Got a fix for it now but it nearly drove me nuts.
> Furthermore, changing application passwords is usually very hard
> (and more often than not it involves downtime of some sort), so if a
Try doing it on the Peoplesoft HR app server or for PSMAN and I'll
guarantee a re-install...
> I seem to remember Oracle supports other types of authentication
> (other than passwords) but they don't seem to cut it.
And yet, it's the simplest thing in OS-land. None of our ssh
connections require a password anymore:
auth tokens are more than enough.
I think external login authentication was an attempt to make it happen,
but I don't know of anyone using it successfully.
> What are your opinions on oracle authentication and where it lacks?
Most of the apps we run ignore it. They use either a generic login and
their own login/pswd pairs, a-la Peoplesoft and Apex+LDAP. Or a db
login that does nothing and has nothing and a login trigger that sets
things up properly.
> How do you handle password management, and application, developer and
> end user access to databases?
Where possible, I use "alter session set current_schema=schema_owner;"
from user SYS.
If not adequate, then I snapshot the encrypted pwd into a text file,
replace it with something I can type in less than 1 hour, login, do the
work, then go back to SYS and replace the new pwd with the old encrypted
one using good old "identified by values".
>
> I haven't looked through all the 12c new features, is there anything
> new on this area?
Unfortunately, what I hoped for didn't happen.
In a nutshell: http://dbasrus.blogspot.com.au/2011/11/wish-list-for-12c.html
Ah well: another missed opportunity for Oracle to do something actually
useful to dbas.
Instead of blaming them for everything including global warming...
--
//www.freelists.org/webpage/oracle-l
This electronic mail (including any attachments) may contain information that
is privileged, confidential, and/or otherwise protected from disclosure to
anyone other than its intended recipient(s). Any dissemination or use of this
electronic mail or its contents (including any attachments) by persons other
than the intended recipient(s) is strictly prohibited. If you have received
this message in error, please notify us immediately by reply e-mail so that we
may correct our internal records. Please then delete the original message
(including any attachments) in its entirety. Thank you.
--
//www.freelists.org/webpage/oracle-l
Other related posts:
