A security paper presented at a network security conference held by the SANs Institute in
In the critique of Oracle's security practices, Joshua Wright of the SANS Institute and Carlos Cid of Royal Holloway College in London, identified several vulnerabilities, including a weak hashing mechanism and a lack of case preservation where all passwords are converted to uppercase characters before calculating the hash.
"By exploiting these weaknesses, an adversary with limited resources can mount an attack that would reveal the plain text password from the hash for a known user," Wright and Cid claimed in their paper whch can be found at
Wright and Cid concluded that although there are a number of counter measures that can be taken to protect users’ passwords, such as protecting the password table and enforcing complexity rules for passwords, they urged Oracle customers to communicate their desire for a stronger password hashing mechanism to the company.
Let’s hope they do it forcefully. Despite being told about the vulnerability in July, Oracle has said little about the problem so far.