Oracle Passwords

There's a article discussing how you can crack an Oracle password in about 4 minutes. I've scanned the article and Oracle's password system isn't as bad as I might have thought, but it's pretty bad. The big no-nos was using the user name as the salt (instead of a random value) and forcing the password to uppercase. This greatly simplifies the process of find the password through brute force.
I like bashing Oracle, since:
  • When I first encountered Oracle I had to write connectivity in C++ to get to Oracle (back in 94 or so). I had already done the connectivity to DB-Library and to ODBC and found Oracle's the most problematic.
  • Oracle makes the most money of any database out there yet their documentation is rather pathetic.
  • Postgres is better on low end (say 2 processor) machines than Oracle.
  • Oracle's PL/SQL compiler is often useless for finding errors.
  • Oracle's error messages are often useless for finding errors in SQL as well (like which column is wrong).
  • They're salespeople are great at FUD.
So I think it's great that their passwords are so weak, it's quite embarrasing for them.


Popular posts from this blog

Shortest Sudoku solver in Python

Seven Segment Display in Inkscape