This tip is excerpted from the book Practical Oracle Security: Your Unauthorized Guide to Relational Database Security by Josh Shaul and Aaron Ingram. Printed with permission from Syngress, a division of Elsevier. Copyright 2008. For more information about this title, please visit www.syngress.com.
Authentication is the gateway to the database, and for the vast majority of Oracle systems, the gatekeeper requires no more than a valid username and password pair to allow anyone to pass. One can argue over the merits of username- and password-based authentication, and can make claims about external authentication mechanisms being better, stronger, faster. However, those arguments will not be made here. Instead, we're going to focus on what Oracle has given us, and what we see practically every production Oracle system using.The native Oracle authentication mechanisms are secure enough for almost all systems, but only when used properly.
Passwords are a critical component of your Oracle security infrastructure.This chapter focuses on establishing a system that ensures that all your passwords are difficult to guess, then configuring protections to thwart password-guessing attacks against your databases.
Configuring Strong Passwords
Keeping unauthorized individuals out of your Oracle databases requires you to ensure that every user has a strong password. Passwords are important.They hold the key to each database, allowing anybody with the right password into the system. Passwords are also a target of attackers and their powerful automated attack tools. There are more password crackers out there than any other kind of hacker tool.Try searching in Google. I got 1.7 million results when I searched on the term "password cracker".The last result on the first page (see Figure 7.1) was particularly interesting.
Figure 7.1 Oracle Password Cracker
You don't make it to the front page on a list of nearly 2 million search entries without a lot of clicks.The notorious John the Ripper was just a few entries above this one.The point is that it takes little more than the ability to point and click to download a powerful password-cracking tool. It's not much more difficult to point that tool at a database and start breaking in.These tools are out there and a large number of people are using them. Strong passwords are the first line of defense against these attack tools.
What Makes a Password Weak?
Weak passwords are easy to guess.This includes more than the passwords that are easy for a person to guess, but also those that are easy for a computer to guess. Password crackers are computer programs that are built to guess passwords. Password crackers can work in different ways, but the most common is dictionary-driven, where the tool cycles through a dictionary of passwords, trying each password in the dictionary for each known account (or even every username in a separate dictionary) until it is able to log in. Simply put, if a password is likely to end up in a password cracking tool's dictionary file, then it is a weak password. But how can you tell?
Start with the English dictionary. If a word is in there, it's easy to guess. Next add in cities and sports teams. Add numbers to make up dates, like birthdays or anniversaries. Finally, add simple patterns like 12345 or qwerty.You will find most if not all of these in a typical password cracker dictionary file.
Usernames are also weak passwords. It's very common to see accounts in Oracle databases where the password is the same as the username.This should really be no surprise, if anything this is a trend that Oracle themselves started.The majority of the accounts Oracle includes in the database by default have their password set to their username.
Oracle takes steps to protect passwords in the system. First, all passwords are stored as a password hash, never in cleartext. Looking at the password hash tells you nothing about the password. Second, Oracle blocks access to the password hashes, storing them in the SYS schema and only displaying them in the database administrator (DBA) views (in Oracle 11g, even the DBA_USERS view does not show passwords).
Usernames, however, are not protected. Anyone with access to the database can get a list of users by selecting from the ALL_USERS view (SELECT granted to PUBLIC by default). This makes it easy to test every account in the database for a password that equals the username, and potentially gain unauthorized access to the system.
Another form of password cracking is called brute-force password guessing. Brute-force is more aggressive than a dictionary attack, primarily focusing on short passwords. A brute-force password cracker takes aim at a certain number of characters (usually no more than 4 or 5 characters) and then guesses every combination of typeable characters of the maximum length or less.This can be a long process. Oracle actually limits the number of typeable characters by converting all passwords to uppercase before hashing (this changes in 11g). In total, there are 68 different characters that can form an Oracle password.To do a brute-force search on four-character passwords, involves searching on all one-character passwords (68 of them), all twocharacter passwords (4624 of them), all three-character passwords (314,432 of them), and all four-character passwords (21,381,376 of them).That's a lot of passwords, and the number keeps going up exponentially as you add more characters to the password. At or beyond six characters, brute-force password cracking is generally ineffective, as it requires guessing billions of combinations.
It's best to assume that a password that meets any of the following criteria is weak:
- It appears in the English dictionary
- It is the name of a well-known city anywhere in the world
- It is the name of any professional sports team
- It is a calendar date
- It is a simple pattern, such as abcdef, 98765, or jjjjjj
- It is the same as the username
- It is less than six characters long
Who Can Remember a Strong Password?
Actually, it's worse than just remembering one password.You need a different strong password for every system.That's hard, particularly when you want to choose passwords like wygc?gb! or gy7*ui9clor. What you need is a system that allows you to generate seemingly random strings that actually aren't random at all. It all starts by picking a methodology or technology for choosing your passwords.
This was first published in November 2007