Oracle database users could be at risk because of weak
encryption mechanisms around the password system, security experts
have warned.
Researchers Joshua Wright of the Sans Institute and Carlos Cid
of Royal Holloway College's Information Security Group warned that
it was straightforward for an attacker to recover a user's
password.
Using a standard Intel Pentium 4 2.8GHz workstation, where
passwords in the database were set to eight alphanumeric characters
and a known user name, the researchers said a password could be
found in about 20 days.
Although users can protect the password table and enforce
complexity rules for passwords, the researchers encouraged Oracle
users to lobby the company to make the password system more
secure.
David Litchfield, managing director of NGS Software and an
expert on Oracle security, said the problem lay with Oracle's use
of a simple version of the TripleDES encryption algorithm, which
automatically converts passwords to upper case letters. This made
it more vulnerable to a brute-force password attack - where all
combinations of password are tried.
Litchfield warned that a bigger problem with Oracle database
security lay in poor practices by IT departments, with default
passwords not being changed in the database.
Oracle said it was unable to comment on the warning.