Hello,
the article "An Assessment of the Oracle Password Hashing Algorithm" from Joshua Wright and Carlos Cid, 18. Oct. 2005
http://www.isg.rhul.ac.uk/~ccid/publications/oracle_passwd.pdf
emphasises that the Oracle encrypted password present in dba_users constitutes a security hole.
Besides dba_users the article mentions also other views visible with the select_catalog_role role which exposes this security risk, for example ku$_user_view.
Until now we used the select_catalog_role as a very convenient way to grant our developer staff the visibility of the data dictionary.
But after reading this article it's clear that to grant select_catalog_role to a person I have to trust her.
We use a minimum password length of 8 with a password_life_time of 90 and a password_grace_time of 90.
But the article speaks of a minimum password length of 12 and a password expiration duration of 60 days to mitigate a brute-force attack against the password hash.
Idea: We create a new role
select_catalog_role_dev without the offending views mentioned in the article and grant this role to the developers.
Would this suffice as security measure?
Thanks
Tauber Johann
NB: Our DBA claims that also the views
DBA_DB_LINKS
DBA_JOBS
DBA_SEGMENTS
DBA_DATA_FILES
DBA_TABLESPACES
exposes the database to a security risk.