Re: Complex passwords and Oracle

[Randy Marchany <marchany () VT EDU>]

Google "oracle password weakness" and you'll get a number of papers describing
problems with Oracle's password algorithm. It's supposedly fixed with the
latest versions of Oracle or if you get their Security Package.

Older versions of Oracle converted your password to uppercase among other
things.
Check out  http://www.sans.org/rr/special/index.php?id=oracle_pass. THis is
the 2005 paper that describes the problems with 'earlier' versions of Oracle.
It's pretty depressing from a security standpoint. Oracle has corrected the
problems in later versions but this should have never happened in the first
place.

The general point of this is that your password strength rules may be undercut
by vendor password restrictions. You need to examine all of your vendor
password requirements to come up with a workable lowest common denominator.

        -Randy Marchany
        VA Tech IT Security Office