FAQs about Oracle password security

In the s, there was a big discussion on Oracle password security, mainly aimed at the Oracle password encryption design at that time. The following is a summary of this series of research reports by Feng dahui.

Editor's Note over the past few days: This article was written on February 22, August. The news on Oracle Security is shocking.

It seems that security experts are focusing on Oracle. as Oracle's encryption system is being studied in depth, some people have re-examined the general information of Oracle's encryption algorithm. it is estimated that it is intended to attract the attention of the Oracle technology circle. Some good idea is to pretend to be Daniel A of PSOUG. morgan posted this article in the Google newsgroup. this article begins with the Oracle password design goal ("reverse engineering"), and then introduces the general idea of encryption as follows:

◆ Combine the username and password into a string "s"

◆ Convert "s" to unicode

◆ Use the ncbc mode of DES for encryption. The Key is 0x123456789abcdef, and the initialization vector is 0.

◆ The same string uses the updated initialization vector as the Key for re-Encryption

◆ Updated initialization vector as Hash

As Pandora's box is opened, many password Crack tools have sprung up. Currently, there are no more than 10 tools. orabf 0.7 is the fastest tool. on Pentium 4, 3 GHz (Windows XP) machines, 1,100,000 passwords can be cracked every second (exaggerated ). the famous Oracle Security Research vendor Red Database Security also released its own password Check Tool Checkpwd. like orabf, this tool is also dictionary-based. the site also provides a variety of Oracle password cracking tools. it is worth reading! It is worth noting that someone has written a plug-in for John the ripper, a veteran cracking tool.

In fact, this Oracle Password Encryption Research was launched by Bob Baldwin in 1993, but it does not seem to have caught people's attention at the beginning. Why have security experts started to flip the old boxes? One reason is that there are indeed many security problems in Oracle and there are also many problems with passwords (for example, the password of database link is saved in the database in plain text ), another reason may also be related to the statement by David son, Chief Security Officer of Oracle. I'm afraid her wording has greatly angered security experts. there are also good scenes ......

Original article title: Is Oracle password cracking easy?

1. Detailed analysis of Oracle tablespace in seven steps
2. Let's discuss how to create an Oracle tablespace.
3. Professional Oracle tablespace reconstruction technical guidance
4. Step 6: Understand the Oracle tablespace status
5. Oracle tablespace recovery makes you no longer worry about database errors