Oracle password best practices

This tip is excerpted from the book Practical Oracle Security: Your Unauthorized Guide to Relational Database Security by Josh Shaul and Aaron Ingram. Printed with permission from Syngress, a division of Elsevier. Copyright 2008. For more information about this title, please visit www.syngress.com.

Authentication is the gateway to the database, and for the vast majority of Oracle systems, the gatekeeper requires no more than a valid username and password pair to allow anyone to pass. One can argue over the merits of username- and password-based authentication, and can make claims about external authentication mechanisms being better, stronger, faster. However, those arguments will not be made here. Instead, we're going to focus on what Oracle has given us, and what we see practically every production Oracle system using.The native Oracle authentication mechanisms are secure enough for almost all systems, but only when used properly.

Passwords are a critical component of your Oracle security infrastructure.This chapter focuses on establishing a system that ensures that all your passwords are difficult to guess, then configuring protections to thwart password-guessing attacks against your databases.

Configuring Strong Passwords

Keeping unauthorized individuals out of your Oracle databases requires you to ensure that every user has a strong password. Passwords are important.They hold the key to each database, allowing anybody with the right password into the system. Passwords are also a target of attackers and their powerful automated attack tools. There are more password crackers out there than any other kind of hacker tool.Try searching in Google. I got 1.7 million results when I searched on the term "password cracker".The last result on the first page (see Figure 7.1) was particularly interesting.

Figure 7.1 Oracle Password Cracker

You don't make it to the front page on a list of nearly 2 million search entries without a lot of clicks.The notorious John the Ripper was just a few entries above this one.The point is that it takes little more than the ability to point and click to download a powerful password-cracking tool. It's not much more difficult to point that tool at a database and start breaking in.These tools are out there and a large number of people are using them. Strong passwords are the first line of defense against these attack tools.

What Makes a Password Weak?

Weak passwords are easy to guess.This includes more than the passwords that are easy for a person to guess, but also those that are easy for a computer to guess. Password crackers are computer programs that are built to guess passwords. Password crackers can work in different ways, but the most common is dictionary-driven, where the tool cycles through a dictionary of passwords, trying each password in the dictionary for each known account (or even every username in a separate dictionary) until it is able to log in. Simply put, if a password is likely to end up in a password cracking tool's dictionary file, then it is a weak password. But how can you tell?

Start with the English dictionary. If a word is in there, it's easy to guess. Next add in cities and sports teams. Add numbers to make up dates, like birthdays or anniversaries. Finally, add simple patterns like 12345 or qwerty.You will find most if not all of these in a typical password cracker dictionary file.

Usernames are also weak passwords. It's very common to see accounts in Oracle databases where the password is the same as the username.This should really be no surprise, if anything this is a trend that Oracle themselves started.The majority of the accounts Oracle includes in the database by default have their password set to their username.

Usernames, however, are not protected. Anyone with access to the database can get a list of users by selecting from the ALL_USERS view (SELECT granted to PUBLIC by default). This makes it easy to test every account in the database for a password that equals the username, and potentially gain unauthorized access to the system.

Another form of password cracking is called brute-force password guessing. Brute-force is more aggressive than a dictionary attack, primarily focusing on short passwords. A brute-force password cracker takes aim at a certain number of characters (usually no more than 4 or 5 characters) and then guesses every combination of typeable characters of the maximum length or less.This can be a long process. Oracle actually limits the number of typeable characters by converting all passwords to uppercase before hashing (this changes in 11g). In total, there are 68 different characters that can form an Oracle password.To do a brute-force search on four-character passwords, involves searching on all one-character passwords (68 of them), all twocharacter passwords (4624 of them), all three-character passwords (314,432 of them), and all four-character passwords (21,381,376 of them).That's a lot of passwords, and the number keeps going up exponentially as you add more characters to the password. At or beyond six characters, brute-force password cracking is generally ineffective, as it requires guessing billions of combinations.

It's best to assume that a password that meets any of the following criteria is weak:

• It appears in the English dictionary
• It is the name of a well-known city anywhere in the world
• It is the name of any professional sports team
• It is a calendar date
• It is a simple pattern, such as abcdef, 98765, or jjjjjj
• It is the same as the username
• It is less than six characters long

Who Can Remember a Strong Password?

Actually, it's worse than just remembering one password.You need a different strong password for every system.That's hard, particularly when you want to choose passwords like wygc?gb! or gy7*ui9clor. What you need is a system that allows you to generate seemingly random strings that actually aren't random at all. It all starts by picking a methodology or technology for choosing your passwords.

Read the rest of the chapter here

Rate this Tip To rate tips, you must be a member of SearchOracle.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Oracle database security Oracle Security: Top five headlines Oracle Identity Manager adds provisioning, compliance features Firm dumps MySQL on Red Hat for Oracle Database on Oracle Linux Five ways to prepare for a SOX audit When were the SYS/SYSTEM passwords last changed? How to create a password file in Oracle 9i? Bharosa to give Oracle users transaction security Database security when users can connect without password Running a script without user's password to Oracle database Can I make a second connection to Oracle without losing the first? Oracle E-Business Suite Special report: Collaborate '08 Oracle forced migration fears a matter of education, OAUG says The E-Business Suite user's guide to Oracle OpenWorld 2007 Oracle OpenWorld 2007 Special Report Oracle buys GRC firm LogicalApps SunGard challenges Oracle in public sector Millipore swaps out SAP for Oracle Oracle and SAP passed over for IFS by water desalination firm Why no integrity constraints in Oracle E-Business Suite? Best design for E-Business Suite on hard drive RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.