Alexander Kornbrust Oracle Security Blog » Print » Update of “Project Lockdown” released

Update of “Project Lockdown” released

Dieser Eintrag stammt von Alexander Kornbrust Am 10 Sep 2010 @ 17:01 In Oracle Security | Kommentarfunktion deaktiviert

Arup Nanda has released an [1] update for “Project Lockdown”. This new version covers Oracle 11g (R1/R2) as well.

I found a few minor things which are not 100% correct but in general it is a good introduction.

But there is something I never liked. It’s the recommendation how to check the Oracle database for weak passwords (according to my experience) this is the biggest problem in nearly every organization.

Just using dba_users_with_defpwd or comparing password hashes is not sufficient and misleading (password=username not found). Oracle 11g is using salted hashes and this concept does not work with the view dba_users_with_defpwd.

Why not using a real password checker like woraauthbf, [2] ops_sse or [3] Repscan? They check all the passwords independent from the database version.

My recommendation for the action plan:
Use a real password checker instead of only comparing password hashes

Dieser Artikel wurde ausgedruckt ab Alexander Kornbrust Oracle Security Blog: http://blog.red-database-security.com

URL zum Artikel: http://blog.red-database-security.com/2010/09/10/update-of-project-lockdown-released/

URLs in this post:
[1] update for “Project Lockdown”: http://www.oracle.com/technetwork/articles/index-087388.html
[2] ops_sse: http://conus.info/ops/
[3] Repscan: http://www.red-database-security.com/software/repscan.html

Klicken hier zum Drucken.