According to a paper by two researchers, Oracle's password scheme has a weak protection mechanism that puts corporate data at risk. News.com's Joris Evers reports that the researchers found a way to recover plain text passwords from "even very strong, well-written Oracle database passwords within minutes." Joris also reports on other Oracle security vulnerabilities and how the company isn't winning points for the way it is handling the problems. It's clearly time to retire the"Unbreakable" appellation, which has been used in the past to market Oracle's products.
The two researchers, Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway College, University of London, came to the following conclusion in their paper:
The current Oracle password mechanism presents a number of weaknesses, making it straightforward for an attacker to recover a user's plaintext password from the hashed value. Although there are a number of countermeasures that can be taken to protect users passwords, such as protecting the password table and enforcing complexity rules for passwords, the authors encourage Oracle customers to communicate their desire for a stronger password hashing mechanism through the appropriate channels.
According to Joris' story, Oracle has been stonewalling the researchers, who informed Oracle about the problem in July.