Change passwords, Oracle users warned

The security of Oracle databases is at risk because users do not change the default passwords that ship with the product.

The security of Oracle databases is at risk because users do not change the default passwords that ship with the product.

The warning, by Oracle executives and security experts, came as the UK Oracle User Group held its annual conference in Birmingham last week.

Oracle chief executive Larry Ellison said two months ago that security would be his company's biggest challenge over the next 18 months.

Last week, source code of what is believed to be the first worm to specifically target Oracle databases was released on the internet. This threat followed a report in October by US security research organisation the Sans Institute, which highlighted weak password encryption in the Oracle database.

Although the worm poses a potentially serious threat, the use of default passwords on databases is a much more immediate risk, according to David Litchfield, managing director of security consultancy NGSSoftware.

"About 15% to 20% of passwords remain in their default state," he said. This means a hacker could simply look up the password from Oracle documentation and log in to a server.

Duncan Harris, senior director, security assurance at Oracle, agreed with NGSSoftware's findings. "Unfortunately, default passwords do not get changed," he said.

Many users are still running Oracle 8i, which does not offer password management control, said Harris.

When users update to Oracle 9i R2, which does have password management control, they can still be caught out. "When a database is copied from an earlier version, the default passwords will be migrated unchanged," said Harris.

Enhanced security measures on Oracle's latest products only work when users set up a new database, he warned.

Harris said Oracle was aware of the Sans Institute warning about weaknesses in Oracle's password security but said, "We did not consider the paper a [comment on] standard vulnerability. It was a commentary on the architecture."

The company will be working to improve the strength of its password encryption in future releases, he said.

Oracle User Group chairman, Ronan Miles, said, "It seems that modern technology may have caught up with the Oracle standard password mechanism."

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.