No more 'Unbreakable' Oracle

No more 'Unbreakable' Oracle

Summary: According to a paper by two researchers, Oracle's password scheme has a weak protection mechanism that puts corporate data at risk. News.

SHARE:
TOPICS: Oracle
2

According to a paper by two researchers, Oracle's password scheme has a weak protection mechanism that puts corporate data at risk. News.com's Joris Evers reports that the researchers found a way to recover plain text passwords from "even very strong, well-written Oracle database passwords within minutes."  Joris also reports on other Oracle security vulnerabilities and how the company isn't winning points for the way it is handling the problems. It's clearly time to retire the"Unbreakable" appellation, which has been used in the past to market Oracle's products.

The two researchers, Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway College, University of London, came to the following conclusion in their paper:

The current Oracle password mechanism presents a number of weaknesses, making it straightforward for an attacker to recover a user's plaintext password from the hashed value. Although there are a number of countermeasures that can be taken to protect users passwords, such as protecting the password table and enforcing complexity rules for passwords, the authors encourage Oracle customers to communicate their desire for a stronger password hashing mechanism through the appropriate channels.

According to Joris' story, Oracle has been stonewalling the researchers, who informed Oracle about the problem in July.  

Topic: Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • So much for unbreakable...

    Somehow all of this reminds me of the Titanic. I realize that there are significant differences between the two scenarios* (not the least of which being the fact that a cracked password will not by default mean that people die), but they both concern the hubris of their designers. That said, at least Larry Ellison never said "Not even God Himself could hack an Oracle system"--at least not in those specific words.

    I mean, they said the security was unbreakable. What were they expecting to happen?

    *Also, the Titanic's sinking was more of a situation in which they had planned for disaster only up to an immediately foreseeable point--they had made it so that it could stay afloat if the first four chambers were flooded. Oracle, on the other hand, has an ostensibly tightly-locked door, but the key is right behind the bush to the left of the entrance.
    Third of Five
  • If this were MS SQL Server...

    ...you'd be hearing this shouted from the rooftops, not some small print item below the fold on ZDNet.
    Don't get me wrong, this is an incredibly heinous vulnerability, and deserves attention.
    It does server to underscore the ridiculous double-standard in technology reporting.
    jonpul