A research paper released this week spells out weaknesses in the password mechanism for Oracle databases and describes how to break system passwords in minutes.
A number of decisions made by the database maker weakens the password algorithm, according to Joshua Wright of the SANS Institute and Carlos Cid of the University of London. Passwords in Oracle databases use the account name to randomize the password hashing process, converts all characters to uppercase letters and uses a fairly weak hashing algorithm, the two researchers said in the paper.
As a result, an attacker with limited resources can practically crack the passwords for any user of an Oracle database. Using a Pentium 4 2.8GHz workstation, it took on average 20 days to recover the plaintext password for a known account name and hash. Moreover, by using pregenerated dictionaries of password plaintext-hash pairs, common account names--such as the SYSTEM account--can be discovered in minutes. Oracle did not immediately comment on the paper.
Passwords are a continuing security vulnerability for most organizations. Recently, a California schools system's flawed method for assigning passwords left open thousands of children's personal information. Some companies are pushing fingerprints as a second factor to boost the security of password only systems, but their are concerns, especially in widespread applications.
Posted by: Robert Lemos