Friday, January 25, 2013

The Effect of the Weak Password

Default/weak passwords.

There is no need to discuss this point any more one of the most Security breaches happened because weak password, can you guess most popular passwords, I provide list for the most common password all the time is your one of them ?

1. password.
2, 123456.
3. 12345678.
4. abc123.
5. qwerty.
6. monkey.
7. letmein.
8. Dragon.
9. 111111.
10. baseball.

Simple steps keep you away in the safe side, No need for software or third party products to change your password in Database 10g, 11g Oracle provide to new features. Noted that what work on 10g is working on 11g.

Oracle Database 10g

In database 10g Oracle provide an example for password verifications functions you can write you own code and you can use
ORACLE_HOME/rdbms/admin/utlpwdmg.sql
This function must be created in SYS schema, when you run the script you enable the following:
•    alters the default parameters for Password Management this mean all the users on the system have Password Management
•    sets the default password resource parameters
•    Function makes the minimum complexity checks like minimum length of the password.

Sqlplus / as sysdba
SQL> @utlpwdmg.sql
Function created.
Profile altered.

Create new user after run the utlpwdmg.sql script.

SQL> create user test identified by test;
create user test identified by test
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password same as or similar to user


SQL> create user test identified by test_oracle123 ;
User created.

At least we insure that no more easy password, as mention before you can create your own code or trigger.

CREATE OR REPLACE FUNCTION paasword_check (
  Username      VARCHAR2,
  Password      VARCHAR2,
    Old_password VARCHAR2)
  RETURN BOOLEAN AS
BEGIN
  IF LENGTH (password) < 10 THEN
    RETURN FALSE;
  ELSE
    RETURN TRUE;
  END IF;
END password_check;
/

After run the above function under SYS schema you should assign it to specific profile. Let me describe step by step.

1-    Create profile

CREATE PROFILE New_profile LIMIT
  FAILED_LOGIN_ATTEMPTS 5
  PASSWORD_LOCK_TIME 3   
  PASSWORD_LIFE_TIME 15
  PASSWORD_GRACE_TIME 3  
  PASSWORD_REUSE_TIME 60
  PASSWORD_REUSE_MAX 3
/


Check if profile created.

SQL> select profile from dba_profiles where profile = 'NEW_PROFILE';

PROFILE
------------------------------
NEW_PROFILE

2-    Assign verify_function to New_profile

SQL> ALTER PROFILE new_profile LIMIT
  PASSWORD_VERIFY_FUNCTION verify_function; 
Profile altered.

3-    Change User profile
SQL> alter user scott profile NEW_profile ;
User altered.

Now you are creating user with verification password and profile to with password conditions, all this to make sure that user will not be able to choose weak password.

You need to generate strong password and nothing came to your mind one of the most amazing website that help you to do that is
http://www.randpass.com/. Just choose length for the password.

    

Example of Generated password by random password sites:
“eo2toozo”,” gop}geeu”.

Oracle Database 11g

Earlier in 11g Version Oracle Provide new parameter which control case sensitive for Password , I consider this is amazing adding for database , its dose not exists in 10g but you can there’s difference between oracle and ORACLE as Password .

Since this book is concern about oracle security I will post every example I can to prove the best to secure your database.

SQL> show parameter case;

NAME                                 TYPE        VALUE
--------------------------------- ----------- ------------------------------
sec_case_sensitive_logon             boolean     FALSE




By default this parameter is set to TRUE, to ensure securing your password, I include demonstrate to let you understand this parameter as well.

From the above the parameter is set to FALSE

SQL> Create user test identified by test;
User created.

SQL> grant create session to test ;
Grant succeeded.

Let’s try to connect using test user once as “test” and “TEST”

SQL> conn test/test ;
Connected.
SQL> conn test/TEST;
Connected.

There’s no difference Between Sensitivity for the password. But I will set CASE_SENSITIVE Parameter to TRUE and try again After change password for test user.

SQL> alter system set sec_case_sensitive_logon=TRUE scope=memory;
System altered.

SQL> alter user test identified by TEST;
User altered.

Let’s try to connect this time using Test User.



SQL> conn test/test ;
ERROR:
ORA-01017: invalid username/password; logon denied

But Using “TEST”

SQL> conn test/TEST ;
Connected.

This parameter consider as important feature for security, you can create your own complex password to ensure protecting your data, Weak password is one of the most important threats, reduce hacking start with simple basic steps.

Thank you
Osama Mustafa

3 comments:

  1. Password function in the profile is indeed a great add on. The case sensitivity is often switched off here to be honest. Great article. Keep Blogging!

    ReplyDelete
    Replies
    1. There's lot of tips that you can do to secure database before start looking for products one them is this. Wait In my next article about how to hack oracle password

      Delete
  2. You got a really useful blog I have been here reading for about an hour. I am a newbie and your success is very much an inspiration for me.Oracle Goldengate

    ReplyDelete