Research: Oracle Passwords Weak

By Lisa Vaas  |  Posted 2005-11-07

Attackers can easily crack even strong Oracle database passwords and gain access to critical enterprise data because of weak password protection mechanisms, researchers have warned.

In the most recent of Oracles security woes, Joshua Wright of the SANS Institute and Carlos Cid of the Information Security Group at the University of Londons Royal Holloway College gave a presentation on their findings at the SANS Network Security conference in Los Angeles last week.

The duos paper, "An Assessment of the Oracle Password Hashing Algorithm," calls for Oracle to bolster its password hashing mechanism. As it now stands, malicious users can recover even strong, well-constructed passwords within minutes, the researchers have found.

Wright and Cids research has revealed that Oracles password handling has multiple weaknesses: weak password salt selection, lack of alphabetic case preservation and a weak hashing algorithm.

Rocket Fuel