Oracle Passwords

There's a article discussing how you can crack an Oracle password in about 4 minutes. I've scanned the article and Oracle's password system isn't as bad as I might have thought, but it's pretty bad. The big no-nos was using the user name as the salt (instead of a random value) and forcing the password to uppercase. This greatly simplifies the process of find the password through brute force.
I like bashing Oracle, since:
  • When I first encountered Oracle I had to write connectivity in C++ to get to Oracle (back in 94 or so). I had already done the connectivity to DB-Library and to ODBC and found Oracle's the most problematic.
  • Oracle makes the most money of any database out there yet their documentation is rather pathetic.
  • Postgres is better on low end (say 2 processor) machines than Oracle.
  • Oracle's PL/SQL compiler is often useless for finding errors.
  • Oracle's error messages are often useless for finding errors in SQL as well (like which column is wrong).
  • They're salespeople are great at FUD.
So I think it's great that their passwords are so weak, it's quite embarrasing for them.

Comments

Popular posts from this blog

Shortest Sudoku solver in Python

Canon EOS 450D triggered by an Arduino