Oracle password best practices

This tip is excerpted from the book Practical Oracle Security: Your Unauthorized Guide to Relational Database Security by Josh Shaul and Aaron Ingram. Printed with permission from Syngress, a division of Elsevier. Copyright 2008. For more information about this title, please visit www.syngress.com.

Authentication is the gateway to the database, and for the vast majority of Oracle systems, the gatekeeper requires no more than a valid username and password pair to allow anyone to pass. One can argue over the merits of username- and password-based authentication, and can make claims about external authentication mechanisms being better, stronger, faster. However, those arguments will not be made here. Instead, we're going to focus on what Oracle has given us, and what we see practically every production Oracle system using.The native Oracle authentication mechanisms are secure enough for almost all systems, but only when used properly.

Passwords are a critical component of your Oracle security infrastructure.This chapter focuses on establishing a system that ensures that all your passwords are difficult to guess, then configuring protections to thwart password-guessing attacks against your databases.

Configuring Strong Passwords

Keeping unauthorized individuals out of your Oracle databases requires you to ensure that every user has a strong password. Passwords are important.They hold the key to each database, allowing anybody with the right password into the system. Passwords are also a target of attackers and their powerful automated attack tools. There are more password crackers out there than any other kind of hacker tool.Try searching in Google. I got 1.7 million results when I searched on the term "password cracker".The last result on the first page (see Figure 7.1) was particularly interesting.

Figure 7.1 Oracle Password Cracker [IMAGE]

You don't make it to the front page on a list of ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Oracle database security Oracle delivers database fixes in Critical Patch Update How to use DBMS_CRYPTO package for Oracle password encryption/hashing How to decrypt an Oracle password using John the Ripper and checkpwd How to use the CREATE SESSION command to track Oracle database logins How to troubleshoot Oracle critical patch updates using OPatch Can I automate Oracle patching when installing Oracle Standard Edition? Is it possible to automate Oracle CPUs for a DoD project? Three steps to help improve Oracle database security Tips for auditing and securing database backups in Oracle How to prevent a SQL injection attack in Oracle Oracle E-Business Suite Part 2: Maintaining your place in the race -- ERP project management Revving your engines: Tuning up your ERP project plan Ventana's Mark Smith on Hyperion and Oracle BI Oracle delivers database fixes in Critical Patch Update Oracle CRM On Demand data integration raises big issues Oracle applications learning guide SMART weighs Oracle vs. SAP, picks E-Business Suite 12 for IFRS compliance Oracle's E-Business Suite consolidates HBO's financial operations Ellison sees new opportunities for Oracle with Java on mobile devices Oracle Application Integration Architecture: Where it is going?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

nearly 2 million search entries without a lot of clicks.The notorious John the Ripper was just a few entries above this one.The point is that it takes little more than the ability to point and click to download a powerful password-cracking tool. It's not much more difficult to point that tool at a database and start breaking in.These tools are out there and a large number of people are using them. Strong passwords are the first line of defense against these attack tools.

What Makes a Password Weak?

Weak passwords are easy to guess.This includes more than the passwords that are easy for a person to guess, but also those that are easy for a computer to guess. Password crackers are computer programs that are built to guess passwords. Password crackers can work in different ways, but the most common is dictionary-driven, where the tool cycles through a dictionary of passwords, trying each password in the dictionary for each known account (or even every username in a separate dictionary) until it is able to log in. Simply put, if a password is likely to end up in a password cracking tool's dictionary file, then it is a weak password. But how can you tell?

Start with the English dictionary. If a word is in there, it's easy to guess. Next add in cities and sports teams. Add numbers to make up dates, like birthdays or anniversaries. Finally, add simple patterns like 12345 or qwerty.You will find most if not all of these in a typical password cracker dictionary file.

Usernames are also weak passwords. It's very common to see accounts in Oracle databases where the password is the same as the username.This should really be no surprise, if anything this is a trend that Oracle themselves started.The majority of the accounts Oracle includes in the database by default have their password set to their username.

Usernames, however, are not protected. Anyone with access to the database can get a list of users by selecting from the ALL_USERS view (SELECT granted to PUBLIC by default). This makes it easy to test every account in the database for a password that equals the username, and potentially gain unauthorized access to the system.

Another form of password cracking is called brute-force password guessing. Brute-force is more aggressive than a dictionary attack, primarily focusing on short passwords. A brute-force password cracker takes aim at a certain number of characters (usually no more than 4 or 5 characters) and then guesses every combination of typeable characters of the maximum length or less.This can be a long process. Oracle actually limits the number of typeable characters by converting all passwords to uppercase before hashing (this changes in 11g). In total, there are 68 different characters that can form an Oracle password.To do a brute-force search on four-character passwords, involves searching on all one-character passwords (68 of them), all twocharacter passwords (4624 of them), all three-character passwords (314,432 of them), and all four-character passwords (21,381,376 of them).That's a lot of passwords, and the number keeps going up exponentially as you add more characters to the password. At or beyond six characters, brute-force password cracking is generally ineffective, as it requires guessing billions of combinations.

It's best to assume that a password that meets any of the following criteria is weak:

• It appears in the English dictionary
• It is the name of a well-known city anywhere in the world
• It is the name of any professional sports team
• It is a calendar date
• It is a simple pattern, such as abcdef, 98765, or jjjjjj
• It is the same as the username
• It is less than six characters long

Who Can Remember a Strong Password?

Actually, it's worse than just remembering one password.You need a different strong password for every system.That's hard, particularly when you want to choose passwords like wygc?gb! or gy7*ui9clor. What you need is a system that allows you to generate seemingly random strings that actually aren't random at all. It all starts by picking a methodology or technology for choosing your passwords.

Read the rest of the chapter here

Rate this Tip To rate tips, you must be a member of SearchOracle.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.