SlideShare a Scribd company logo

AUSOUG Oracle Password Security

Stefan Oehrli
Stefan Oehrli

Authentication is an integral part of security. If authentication or passwords are insufficient, all further security measures are obsolete. But how do you ensure that passwords are complex? We will explain the different password hashes and show how to make sure authentication is secure.

1 of 50
Download to read offline
1 11th November 2021 4.30 PM AEDT Security Best Practice: Oracle passwords, but secure! Stefan Oehrli Big Data/Analytics/Security/EPM & BI Summit Event Partners
SECURITY BEST PRACTICE Oracle passwords, but secure!
3 HALLO, GRÜESSECH, HI! § Since 1997 active in various IT areas § More than 24 years of experience in Oracle databases § Focus: Protecting data and operating databases securely o Security assessments and reviews o Database security concepts and their implementation o Oracle Backup & Recovery concepts and troubleshooting o Oracle Enterprise User and Advanced Security, DB Vault, … o Oracle Directory Services § Co-author of the book The Oracle DBA (Hanser, 2016/07) STEFAN OEHRLI PLATFORM ARCHITECT
4
5 OUR WORKSPACES ROMANIA AUSTRIA GERMANY SWITZERLAND
6 AGENDA § Introduction § Oracle Password Hashes § Oracle Logon Process § Challenges § Password Complexity § Good Practice § Conclusion
7 INTRODUCTION
8 HOW MUCH SECURITY DO YOU NEED?
11 BUT HONESTLY, ARE PASSWORDS STILL AN ISSUE? § Password based authentication is still one of the most used methods → Flexibility § A large number of DB, Clients or Apps require legacy hashes / protocols → Compatibility § Password Verification Functions do not keep pace with CPU evolvements → Standards § The standards of the vendors are usually not the securest → Security Hardening § Software, hashes and protocols reveal security flaws over time Secure authentication is crucial, otherwise further security measures are questionable
12 ORACLE PASSWORD HASHES
13 WHAT IS A HASH FUNCTION? § Mathematical algorithm to map data of any size to a bit array of a fixed length § It is deterministic § Quick to compute hash for any given message § One-way function § Infeasible to generate a message that yields a given hash value § Infeasible to find two different messages with the same hash value → Collision § Known Cryptographic Hash Algorithms o MD5 o SHA-1 o SHA-2 i.e., SHA-256 and SHA-512
14 ORACLE PASSWORD HASH FUNCTIONS § Oracle 10g Hash Function o Based on DES and an Oracle specific algorithm o Case insensitive and weak password Salt => Username § MD5 based Hash Function o used for digest authentication in XDB § Oracle 11g Hash Function o Based on the SHA1 hash algorithm o SHA1 is no longer considered safe (since 2005 see Wikipedia SHA-1) o Supports case sensitive and multibyte character passwords § Oracle 12c Hash Function o based on a de-optimized algorithm involving PBKDF2 and SHA-512 o Supports case sensitive and multibyte character passwords § Recommendation: Only use Oracle 12c Hash Function
15 ORACLE 10G PASSWORD VERIFIER CREATE USER syste IDENTIFIED BY mmanager; User created. ALTER USER system IDENTIFIED BY manager; User altered. SELECT name, password FROM sys.user$ WHERE name LIKE 'SYSTE%'; USERNAME PASSWORD ------------------------------ ------------------------------ SYSTEM D4DF7931AB130E37 SYSTE D4DF7931AB130E37 § Passwords of local users are stored as 8-byte password hashes in base table SYS.USER$ § This algorithm has several weaknesses 1. Weak password salt => user namey
16 ORACLE 10G PASSWORD VERIFIER ALTER USER system IDENTIFIED BY ManAger; User altered. SELECT name, password FROM sys.user$ WHERE name LIKE 'SYSTEM'; USERNAME PASSWORD ------------------------------ ------------------------------ SYSTEM D4DF7931AB130E37 § This algorithm has several weaknesses 2. Not case sensitive 3. Based on a legacy and proprietary hash function
17 ORACLE 10G PASSWORD ALGORITHM Weak Hash Algorithm 1. Associate the user with the password to a clear text string 2. Convert clear text to upper case letters 3. Convert clear text to a Unicode string 4. Encryption of the clear text with DES CBC and a fixed key 0x0123456789ABCDEF If necessary the clear text 0 is padded to the next even block 5. Additional encryption of the clear text with DES CBC Here the last block of step 4 is used as the key. The last block is then used as the hash value
18 EXAMPLE ORACLE 10G PASSWORD ALGORITHM Username : system Password : manager - STEP 1 ---------------------------------------------------------- Salted String : systemmanager - STEP 2 ---------------------------------------------------------- Upper String : SYSTEMMANAGER - STEP 3 ---------------------------------------------------------- Unicode String : 00530059005300540045004D004D0041004E0041004700450052 - STEP 4 ---------------------------------------------------------- 1st Key : 0123456789ABCDEF 1st Hash value : 643624EDC5FEA9B402B0B017E7CB7DB713108AC1914E984FE2EDDFE949A0C3C1 - STEP 5 --------------------------------------------------------- 2nd Key : E2EDDFE949A0C3C1 2nd Hash Value : A2295A85F9B413C2D2B25971D5199A0BA6C4C6035A4906B2D4DF7931AB130E37 Password Hash : D4DF7931AB130E37
19 ORACLE 11G PASSWORD VERIFIER SELECT name, regexp_substr(spare4,'((S:.+);|(S:.+))',1,1,'i’,1) HASH FROM user$ WHERE name='TEST’; NAME HASH ---------- -------------------------------------------------------------- TEST S:885B3ACB933CCBEF42DA4455BC4F1597E823F144A37F22B76F48F0CFFC52 § Based on SHA-1 and supports Case Sensitive and Multibyte Character Passwords Actually everything that your character set offers But special characters requires quotes e.g. " " § Password hash is stored in column SPARE4 in base table SYS.USER$ Hash value does have the prefix S: sys.user$spare4 = SHA1(pwd concat with salt) concat with salt § The hash function is a simple SHA-1 function
20 EXAMPLE ORACLE 11G PASSWORD ALGORITHM ALTER USER test IDENTIFIED BY Welcome1; SELECT name, substr(regexp_substr(spare4,'((S:.+);|(S:.+));',1,1,'i',1), 1,40 ) HASH, substr(regexp_substr(spare4,'((S:.+);|(S:.+));',1,1,'i',1), 41) SALT FROM user$ WHERE name='TEST’; NAME HASH SALT ---------- ---------------------------------------- -------------------- TEST 885B3ACB933CCBEF42DA4455BC4F1597E823F144 A37F22B76F48F0CFFC52 SELECT sys.dbms_crypto.hash(utl_raw.cast_to_raw('Welcome1')|| hextoraw('A37F22B76F48F0CFFC52'),3) HASH FROM dual; HASH ---------------------------------------- 885B3ACB933CCBEF42DA4455BC4F1597E823F144
21 ORACLE 12C PASSWORD VERIFIER SELECT name, regexp_substr(spare4,'((T:.+);|(T:.+))',1,1,'i',1) HASH FROM user$ WHERE name='TEST'; NAME HASH ----- -------------------------------------------------------------------- TEST T:1902FCD14B0096A5F6E44E2C0B87747911879173740A0FC8D8D346532731FE46A2 72123A0C53D79BDF26AB4FABAEEEF2964DEAE00B4626696C6CBE2ABEF753006B8D0E 3DFA2CB0480115E8457AE954E6 § Based on a de-optimized algorithm involving PBKDF2 and SHA-512 o See Oracle® Database Security Guide 19c About the 12C Version of the Password Hash § Supports Case Sensitive and Multibyte Character Passwords § Password hash is stored in column SPARE4 in base table SYS.USER$ o Hash value does have the prefix T: § Oracle 12c Password Hash is supported by Client / Server Oracle Release 11.2.0.3
22 WHICH PASSWORD VERIFIER IS AVAILABLE SELECT username,password_versions FROM dba_users WHERE username LIKE 'USER_%' ORDER BY 1; USERNAME PASSWORD_VERSIONS ------------------------- ----------------- USER_10G 10G USER_11G 11G USER_12C 12C USER_ALL 10G 11G 12C § Query PASSWORD_VERSIONS from DBA_USERS § Effective hash values stored in USER$ o Oracle 10g Hash column PASSWORD o Oracle 11g Hash column SPARE4 Prefix S: o Oracle 12c Hash column SPARE4 Prefix T:
23 ORACLE LOGON PROCESS
24 ORACLE LOGON PROCESS § Establish initial connection i.e. TNS name resolution, connection request to listener, etc. § Negotiate session- and optional encryption keys § Initiate authentication either ... o Password base for DB, CMU, EUS, Proxy or orapwd file authentication o External / OS based for OS, Kerberos, Radius, SSL or admin privileges e.g. SYSDBA § Password based authentication is always done on the DB i.e. password hashes have to be available to the database o SYS.USER$ or orapwd file o EUS/CMU relevant LDAP attributes e.g. userPassword, orclCommonAttribute
25 ORACLE LOGIN PROCESS O3LOGON/O5LOGON Client sends user name • Database fetches password hash from SYS.USER$ • Generates session key (random) • Encrypts key with hash • Generates hash from password • Decrypts session key • Encrypts password with session key • Decrypts password with session key • Generates password hash with this • Compares hash with SYS.USER$ • Sends result Login successful? User name Status Password (encrypt.) Session Key / Salt
26 AUTHENTICATION PROTOCOL § Login protocol is defined by the sqlnet.ora configuration o SQLNET.ALLOWED_LOGON_VERSION_SERVER (default 12) o SQLNET.ALLOWED_LOGON_VERSION_CLIENT (default 11) § Here "version" refers to the version of the login protocol, not the database version § Appropriate password versions / hashes must be available o See DBA_USERS.PASSWORD_VERSIONS § Default value of ALLOWED_LOGON_VERSION_SERVER o Up to Oracle 12.1.0.2 => 8 all hashes are created o From Oracle 12.2.0.1 => 12 only 11c and 12c hashes are created § Recommended setting for ALLOWED_LOGON_VERSION_SERVER is 12a o Only the 12c Password Verifier is used
27 OVERVIEW AUTHENTICATION PROTOCOL § Authentication Registration protocols version and the limitations / capabilities o ALV = SQLNET.ALLOWED_LOGON_VERSION_SERVER/CLIENT ALV Password Version Client ability Meaning 12a 12c O7L_MR Only Oracle 12.1.0x clients 12 11g, 12c O7L_NP Only clients with CPUOct 2012 11 10g, 11g, 12c O5L Oracle 10g and later, DBs older than 11.2.0.3 or without CPUOct 2012 must use 10g passwords 10 10g, 11g, 12c O5L 9 10g, 11g, 12c O4L Oracle 9i and newer 8 10g, 11g, 12c O3L Oracle 8i and older
28 CHALLENGES
29 PROTOCOL AND PASSWORD HASHES SQL> ALTER USER scott IDENTIFIED BY values 'S:22D8239017006EBDE054108BF367F225B5E731D12C91A3BEB31FA28D4A38'; § Corresponding password versions / hashes must be available o See DBA_USERS.PASSWORD_VERSIONS § If the version is not greater/equal, the connection is terminated o ORA-28040: No matching authentication protocol § If the corresponding hash is missing, the connection is terminated o ORA-01017: invalid username/password; logon denied § By setting/deleting the corresponding hashes, you can indirectly control which logon protocol is used
30 WEAKNESSES IN THE PASSWORD SYSTEM § Password hashes are all over the place o Not everywhere, but in enough places o Miscellaneous base tables in the data dictionary o orapwd file used for remote login as administrative user § If the hashes are known, dictionary, rule or brute force based attacks are possible § Limitation and vulnerabilities of password hash functions o E.g. known hash collisions § Character restriction (no upper/lower case up to and including Oracle 10g, in principle no special characters allowed) o Partial compatibility problems with different tools
31 RISKS OF THE ORACLE LOGIN PROCESS § Is the login process secure? § User name passes through the network unencrypted § But no password, no password hash § Password is automatically encrypted between client and server via AES § If password hash known, session key could be decrypted § Vulnerability found for password verifier using SHA-1 in October 2012 o Security vulnerability in login process CVE-2012-3137 o Clients and servers need to be patched and password reset o Information in MOS Note 1492721.1 and 1493990.1 o Hint: Every Client which is not patched or using legacy logon process is still affected from this vulnerability
32 CONFIGURATION – ORA-01017 OR ORA-28040 § False Configurations can lead to issues, mostly to ORA-01017 or ORA-28040 o E.g. set SEC_CASE_SENSITIVE_LOGON=FALSE and ALLOWED_LOGON_VERSION_SERVER>=12 § Database Migrations using expdp/impdp import users as they are o Can lead to wrong / missing password verifiers o Source DB has only 10g hashes but target requires 11g or 12c password verifiers o MOS Note 2289453.1 ORA-39384 Warning: User <USERNAME> Has been locked … o Post by Mike Dietrich What happens to PASSWORD_VERSIONS during an upgrade to Oracle 12.2? § Applications limiting password character pool o Some applications cannot handle certain special characters, umlauts etc. o $ " @ # can be challenging to escape properly § Client Libraries (OCI, JDBC,…) not coping with new hash algorithms o Legacy issue from Oracle 10g to 11g transition o Client occasionally simply converted the password to uppercase
33 PASSWORD COMPLEXITY
34 PASSWORD PROFILES § Since Oracle8 it is possible to create password profiles and assign them to users § Password profiles define the criteria for passwords o complexity with a password check function o Number of incorrect logins, number, lock and grace time o Validity period of passwords o Password history § Oracle provides a script utlpwdmg.sql to configure password profiles and functions o The script is updated with every Oracle release o The script is not executed depending on the Release / Create method o It includes profiles based on CIS and Database STIG recommendations § Password verification function can be created using Oracle functions: o ora_string_distance Calculation of the difference between two strings according to the Levenshtein distance o ora_complexity_check Checking the password complexity of a string
35 GOOD IDEA TO SPECIFY COMPLEXITY RULES? Example Password Rule § Password with digits, upper and lower case letters § 8-character password length § At least 1 capital letter § At least 1 lower case letter § At least 1 digit The Problem § Number of characters 26+26+10=62 § Combinations for 8-character password 628 § Minus the special cases: o Digits only 108 o Letters only 528 o Upper and lower case only 268 + 268 About a quarter less combinations! Effective Combinations 75.32% Digits only 0% Upper case only 0.10% Lower case only 0.10% Characters only 24.48% PASSWORDS
36 BUT WHAT ARE GOOD PASSWORDS? Not easy to answer anyway, if there is an answer at least. A few principles and good practices: § Passwords must be easy to “remember” either by you or your password manager § Pool of unique characters should be as large as possible ... and feasible J § Maximum manageable length should be selected o The longer, the better J § Password should not be based on common words, names or know passwords i.e. password dictionary § Do not follow any obvious rules § Password should have high entropy
37 PASSWORD ENTROPY § Entropy is a measurement of how unpredictable a password 𝐸 = 𝐿𝑜𝑔! 𝑅" o 𝑅" = number of possible passwords o E = password entropy in bits o R = pool of unique character o L = number of character i.e. password length § Entropy for the example before 𝐸 = 𝐿𝑜𝑔! 62# = 47.6 bits § Today's GPU can calculate several million hashes per second o MacBook Pro 2020 400MH/s for Oracle 10g o 36 - 59 bits used to be reasonable secure § Safe Password? It depends… o … on how the password is generated (random is not always that random) o … on a possible attack method e.g. Welcome1 meets the password rule
38 EXAMPLE STRONG PASSWORDS Source: xkcd https://xkcd.com/936
39 CHECK THE PASSWORDS! SELECT username FROM dba_users_with_defpwd; USERNAME ---------- CTXSYS SCOTT § The view DBA_USERS_WITH_DEFPWD can be used to easily check whether the default passwords of users created by Oracle have been changed § Alternative checking of the known hash with appropriate tools o DBMS_CRYPTO to calculate the hash manually o Password Crack Tools like Hashcat, John the Ripper and others
40 PASSWORD VERIFICATION USING TOOLS § Tools Hashcat and John the Ripper do support a wide range of known password hashes o Including all hash functions used by Oracle e.g. 10g, 11g, 12c § GPU power is a crucial factor when calculating hash values o Tools do use CPU and GPU to calculate hashes where GPU o Whereby GPU are faster by factors § Different attack methods are possible: o Dictionary based – testing passwords from wordlist e.g. 5-10 Mio o Rule based – Extend wordlist by rules e.g. flip chars, add numbers etc. o Brute force – Calculate every combination out of a character pool § The tools are basically free and publicly available o Relatively well documented and No darknet experience required J § The use might be illegal depending on country and region o Depends on the purpose of use
41 WHAT IS POSSIBLE – MACBOOK PRO 2018 hashcat --benchmark --hash-type 3100 -D 1,2,3 hashcat (v6.1.1) starting in benchmark mode... OpenCL API (OpenCL 1.2 (Oct 29 2020 19:50:08)) - Platform #1 [Apple] ==================================================================== * Device #1: Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz, 32704/32768 MB * Device #2: Intel(R) UHD Graphics 630, 1472/1536 MB (384 MB allocatable), 24MCU * Device #3: AMD Radeon Pro 560X Compute Engine, 4032/4096 MB (1024 MB allocatable), 16MCU Hashmode: 3100 - Oracle H: Type (Oracle 7+) Speed.#1.........: 11719.5 kH/s (66.85ms) @ Accel:128 Loops:512 Thr:1 Vec:4 Speed.#2.........: 4423.3 kH/s (85.02ms) @ Accel:128 Loops:16 Thr:8 Vec:1 Speed.#3.........: 117.8 MH/s (67.33ms) @ Accel:128 Loops:64 Thr:64 Vec:1 Speed.#*.........: 133.9 MH/s § Simple Hashcat benchmark for the Oracle 7+ hashes i.e. 10g password verifier
42 WHAT IS POSSIBLE – MACBOOK PRO 2020 hashcat --benchmark --hash-type 3100 -D 1,2,3 hashcat (v6.1.1) starting in benchmark mode... OpenCL API (OpenCL 1.2 (Jun 8 2020 17:36:15)) - Platform #1 [Apple] ==================================================================== * Device #1: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz, 65472/65536 MB * Device #2: Intel(R) UHD Graphics 630, 1472/1536 MB (384 MB allocatable), 24MCU * Device #3: AMD Radeon Pro 5500M Compute Engine, 8112/8176 MB (2044 MB allocatable), 24MCU Hashmode: 3100 - Oracle H: Type (Oracle 7+) Speed.#1.........: 8891.4 kH/s (58.73ms) @ Accel:32 Loops:1024 Thr:1 Vec:4 Speed.#2.........: 4653.3 kH/s (78.22ms) @ Accel:4 Loops:512 Thr:8 Vec:1 Speed.#3.........: 400.4 MH/s (61.61ms) @ Accel:256 Loops:64 Thr:64 Vec:1 Speed.#*.........: 414.0 MH/s § Simple Hashcat benchmark for the Oracle 7+ hashes i.e. 10g password verifier
43 WHAT IS GENERALLY POSSIBLE? Performance for other hash values differs Power of my MacBook pro not enough? § No need to rent a Cray-2 § Just buy a decent graphic card or two i.e., for game not office usage J § Set up a compute instance in a cloud o All cloud vendors have options for GPU support Hash Type MB Pro 2018 MB Pro 2020 Nvidia GTX 1080 TI MD5 4’921.4 MH/s 11’240.0 MH/s 31’103.4 MH/s SHA-1 1’783.2 MH/s 4’296.9 MH/s 11’374.1 MH/s Oracle 7+ 133.9 MH/s 414.0 MH/s 1’320.0 MH/s Oracle 11+ 1’766.6 MH/s 4’283.2 MH/s 11’222.5 MH/s Oracle 12+ 4390 H/s 3698 H/s 150.2 kH/s
44 GOOD PRACTICE
45 GOOD PRACTICE Keep your Oracle Clients and Server up to date § Stay updated by following Critical Patch Updates, Security Alerts and Bulletins § Install security fixes in a reasonable time frame Consider using strong Authentication § Kerberos and SSL based Authentication Don’t use legacy password verifier § Use Oracle password file version 12.2 § Explicitly configure ALLOWED_LOGON_VERSION_SERVER to 12a and exclusively use 12c hash values § Start using PBKDF2 SHA-512 for directory-based password authentication with EUS and CMU § Art. 32 GDPR Security of processing MD5, SHA-1 and Oracle 10g password verifiers are definitely not state of the art any more
46 GOOD PRACTICE Revise your password policies § NIST, CIS, STIG and other standards are continuously adjusted § Does the complexity rule still make sense or does it just reduce the amount of possibilities User awareness training § Make sure your user know the principle of good and bad § Use of phase phrase rather than password
47 GOOD PRACTICE Reduce the attack vector § Limit access to password hash values o e.g., password files, SYS.USER$ and other base tables § Know where you have password hash values o e.g., in application tables § Implement general database hardening o Oracle Database Lockdown o Oracle® Database Security Guide 19c o CIS Oracle Database Benchmark 19c o DoD Oracle Database 12c STIG - Ver 1, Rel 18 § Once again training of security awareness…
48 CONCLUSION
49 CONCLUSION § There is no absolute security nor secure passwords o Computing power evolves § Revise your password rule § Keep software up to date o That means server and clients § Don’t use legacy configuration o 10g/11g hashes o SEC_CASE_SENSITIVE_LOGON § Consider using strong authentication o Kerberos or SSL Source: xkcd https://xkcd.com/538
TOGETHER WE ARE #1 PARTNER FOR BUSINESSES TO HARNESS THE POWER OF DATA FOR A SMARTER LIFE
51 GOODBYE… § E-Mail stefan.oehrli@trivadis.com § LinkedIn https://www.linkedin.com/in/stefanoehrli/ § Blog www.oradba.ch § Twitter @stefanoehrli STEFAN OEHRLI PLATFORM ARCHITECT
AUSOUG Oracle Password Security
Ad

Recommended

Oracle Performance Tuning Fundamentals
Oracle Performance Tuning FundamentalsOracle Performance Tuning Fundamentals
Oracle Performance Tuning Fundamentals
Enkitec
 
Ash masters : advanced ash analytics on Oracle
Ash masters : advanced ash analytics on Oracle Ash masters : advanced ash analytics on Oracle
Ash masters : advanced ash analytics on Oracle
Kyle Hailey
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 1
Tanel Poder
 
Whitepaper: Mining the AWR repository for Capacity Planning and Visualization
Whitepaper: Mining the AWR repository for Capacity Planning and VisualizationWhitepaper: Mining the AWR repository for Capacity Planning and Visualization
Whitepaper: Mining the AWR repository for Capacity Planning and Visualization
Kristofferson A
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
Sandesh Rao
 
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Exploring Oracle Database Performance Tuning Best Practices for DBAs and Deve...
Aaron Shilo
 
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsHow to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata Environments
Sandesh Rao
 
Awr + 12c performance tuning
Awr + 12c performance tuningAwr + 12c performance tuning
Awr + 12c performance tuning
AiougVizagChapter
 
AWR & ASH Analysis
AWR & ASH AnalysisAWR & ASH Analysis
AWR & ASH Analysis
aioughydchapter
 
Oracle db performance tuning
Oracle db performance tuningOracle db performance tuning
Oracle db performance tuning
Simon Huang
 
Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion Edition
Markus Michalewicz
 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle Multitenant
Jitendra Singh
 
Oracle RAC - New Generation
Oracle RAC - New GenerationOracle RAC - New Generation
Oracle RAC - New Generation
Anil Nair
 
B35 all you wanna know about rman by francisco alvarez
B35 all you wanna know about rman by francisco alvarezB35 all you wanna know about rman by francisco alvarez
B35 all you wanna know about rman by francisco alvarez
Insight Technology, Inc.
 
MAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19cMAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19c
Markus Michalewicz
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudOracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Markus Michalewicz
 
Top 10 tips for Oracle performance (Updated April 2015)
Top 10 tips for Oracle performance (Updated April 2015)Top 10 tips for Oracle performance (Updated April 2015)
Top 10 tips for Oracle performance (Updated April 2015)
Guy Harrison
 
Enterprise manager 13c
Enterprise manager 13cEnterprise manager 13c
Enterprise manager 13c
MarketingArrowECS_CZ
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder
 
Tanel Poder - Scripts and Tools short
Tanel Poder - Scripts and Tools shortTanel Poder - Scripts and Tools short
Tanel Poder - Scripts and Tools short
Tanel Poder
 
Average Active Sessions RMOUG2007
Average Active Sessions RMOUG2007Average Active Sessions RMOUG2007
Average Active Sessions RMOUG2007
John Beresniewicz
 
AWR and ASH Deep Dive
AWR and ASH Deep DiveAWR and ASH Deep Dive
AWR and ASH Deep Dive
Kellyn Pot'Vin-Gorman
 
How to Use Oracle RAC in a Cloud? - A Support Question
How to Use Oracle RAC in a Cloud? - A Support QuestionHow to Use Oracle RAC in a Cloud? - A Support Question
How to Use Oracle RAC in a Cloud? - A Support Question
Markus Michalewicz
 
Convert single instance to RAC
Convert single instance to RACConvert single instance to RAC
Convert single instance to RAC
Satishbabu Gunukula
 
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャZero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
オラクルエンジニア通信
 
My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)
Gustavo Rene Antunez
 
Average Active Sessions - OaktableWorld 2013
Average Active Sessions - OaktableWorld 2013Average Active Sessions - OaktableWorld 2013
Average Active Sessions - OaktableWorld 2013
John Beresniewicz
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
Stefan Oehrli
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
Stefan Oehrli
 
Ad

More Related Content

What's hot (20)

AWR & ASH Analysis
AWR & ASH AnalysisAWR & ASH Analysis
AWR & ASH Analysis
aioughydchapter
 
Oracle db performance tuning
Oracle db performance tuningOracle db performance tuning
Oracle db performance tuning
Simon Huang
 
Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion Edition
Markus Michalewicz
 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle Multitenant
Jitendra Singh
 
Oracle RAC - New Generation
Oracle RAC - New GenerationOracle RAC - New Generation
Oracle RAC - New Generation
Anil Nair
 
B35 all you wanna know about rman by francisco alvarez
B35 all you wanna know about rman by francisco alvarezB35 all you wanna know about rman by francisco alvarez
B35 all you wanna know about rman by francisco alvarez
Insight Technology, Inc.
 
MAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19cMAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19c
Markus Michalewicz
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudOracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Markus Michalewicz
 
Top 10 tips for Oracle performance (Updated April 2015)
Top 10 tips for Oracle performance (Updated April 2015)Top 10 tips for Oracle performance (Updated April 2015)
Top 10 tips for Oracle performance (Updated April 2015)
Guy Harrison
 
Enterprise manager 13c
Enterprise manager 13cEnterprise manager 13c
Enterprise manager 13c
MarketingArrowECS_CZ
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder
 
Tanel Poder - Scripts and Tools short
Tanel Poder - Scripts and Tools shortTanel Poder - Scripts and Tools short
Tanel Poder - Scripts and Tools short
Tanel Poder
 
Average Active Sessions RMOUG2007
Average Active Sessions RMOUG2007Average Active Sessions RMOUG2007
Average Active Sessions RMOUG2007
John Beresniewicz
 
AWR and ASH Deep Dive
AWR and ASH Deep DiveAWR and ASH Deep Dive
AWR and ASH Deep Dive
Kellyn Pot'Vin-Gorman
 
How to Use Oracle RAC in a Cloud? - A Support Question
How to Use Oracle RAC in a Cloud? - A Support QuestionHow to Use Oracle RAC in a Cloud? - A Support Question
How to Use Oracle RAC in a Cloud? - A Support Question
Markus Michalewicz
 
Convert single instance to RAC
Convert single instance to RACConvert single instance to RAC
Convert single instance to RAC
Satishbabu Gunukula
 
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャZero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
オラクルエンジニア通信
 
My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)
Gustavo Rene Antunez
 
Average Active Sessions - OaktableWorld 2013
Average Active Sessions - OaktableWorld 2013Average Active Sessions - OaktableWorld 2013
Average Active Sessions - OaktableWorld 2013
John Beresniewicz
 
AWR & ASH Analysis
AWR & ASH AnalysisAWR & ASH Analysis
AWR & ASH Analysis
aioughydchapter
 
Oracle db performance tuning
Oracle db performance tuningOracle db performance tuning
Oracle db performance tuning
Simon Huang
 
Oracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion EditionOracle RAC Internals - The Cache Fusion Edition
Oracle RAC Internals - The Cache Fusion Edition
Markus Michalewicz
 
Migration to Oracle Multitenant
Migration to Oracle MultitenantMigration to Oracle Multitenant
Migration to Oracle Multitenant
Jitendra Singh
 
Oracle RAC - New Generation
Oracle RAC - New GenerationOracle RAC - New Generation
Oracle RAC - New Generation
Anil Nair
 
B35 all you wanna know about rman by francisco alvarez
B35 all you wanna know about rman by francisco alvarezB35 all you wanna know about rman by francisco alvarez
B35 all you wanna know about rman by francisco alvarez
Insight Technology, Inc.
 
MAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19cMAA Best Practices for Oracle Database 19c
MAA Best Practices for Oracle Database 19c
Markus Michalewicz
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the CloudOracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Oracle RAC Virtualized - In VMs, in Containers, On-premises, and in the Cloud
Markus Michalewicz
 
Top 10 tips for Oracle performance (Updated April 2015)
Top 10 tips for Oracle performance (Updated April 2015)Top 10 tips for Oracle performance (Updated April 2015)
Top 10 tips for Oracle performance (Updated April 2015)
Guy Harrison
 
Enterprise manager 13c
Enterprise manager 13cEnterprise manager 13c
Enterprise manager 13c
MarketingArrowECS_CZ
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder
 
Tanel Poder - Scripts and Tools short
Tanel Poder - Scripts and Tools shortTanel Poder - Scripts and Tools short
Tanel Poder - Scripts and Tools short
Tanel Poder
 
Average Active Sessions RMOUG2007
Average Active Sessions RMOUG2007Average Active Sessions RMOUG2007
Average Active Sessions RMOUG2007
John Beresniewicz
 
AWR and ASH Deep Dive
AWR and ASH Deep DiveAWR and ASH Deep Dive
AWR and ASH Deep Dive
Kellyn Pot'Vin-Gorman
 
How to Use Oracle RAC in a Cloud? - A Support Question
How to Use Oracle RAC in a Cloud? - A Support QuestionHow to Use Oracle RAC in a Cloud? - A Support Question
How to Use Oracle RAC in a Cloud? - A Support Question
Markus Michalewicz
 
Convert single instance to RAC
Convert single instance to RACConvert single instance to RAC
Convert single instance to RAC
Satishbabu Gunukula
 
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャZero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
Zero Data Loss Recovery Applianceによるデータベース保護のアーキテクチャ
オラクルエンジニア通信
 
My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)My First 100 days with an Exadata (PPT)
My First 100 days with an Exadata (PPT)
Gustavo Rene Antunez
 
Average Active Sessions - OaktableWorld 2013
Average Active Sessions - OaktableWorld 2013Average Active Sessions - OaktableWorld 2013
Average Active Sessions - OaktableWorld 2013
John Beresniewicz
 

Similar to AUSOUG Oracle Password Security (20)

Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
Stefan Oehrli
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
Stefan Oehrli
 
configuring+oracle+rds+with+glasfish+server
configuring+oracle+rds+with+glasfish+serverconfiguring+oracle+rds+with+glasfish+server
configuring+oracle+rds+with+glasfish+server
hunghtc83
 
Aioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_featuresAioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_features
AiougVizagChapter
 
DOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon SecurityDOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon Security
Loopback.ORG
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overview
SolidQ
 
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
Alex Zaballa
 
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
Securing oracle e-business suite 12.1 and 12.2 technology infrastructureSecuring oracle e-business suite 12.1 and 12.2 technology infrastructure
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
vasuballa
 
12c Database new features
12c Database new features12c Database new features
12c Database new features
Sandeep Redkar
 
State of The Dolphin - May 2021
State of The Dolphin - May 2021State of The Dolphin - May 2021
State of The Dolphin - May 2021
Frederic Descamps
 
DOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedDOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security Reloaded
Loopback.ORG
 
Les nouveautés de MySQL 8.0
Les nouveautés de MySQL 8.0Les nouveautés de MySQL 8.0
Les nouveautés de MySQL 8.0
Frederic Descamps
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server data
Colin Charles
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c security
Laurent Leturgez
 
Ibm db2 case study
Ibm db2 case studyIbm db2 case study
Ibm db2 case study
Ishvitha Badhri
 
Oracle DBA Configuring network environment
Oracle DBA Configuring network environmentOracle DBA Configuring network environment
Oracle DBA Configuring network environment
pshankarnarayan
 
Configuración de la Red de DB Oracle 11g
Configuración de la Red de DB Oracle 11gConfiguración de la Red de DB Oracle 11g
Configuración de la Red de DB Oracle 11g
188882
 
Oracle on AWS RDS Migration - 성기명
Oracle on AWS RDS Migration - 성기명Oracle on AWS RDS Migration - 성기명
Oracle on AWS RDS Migration - 성기명
AWSKRUG - AWS한국사용자모임
 
Improving oracle12c security
Improving oracle12c securityImproving oracle12c security
Improving oracle12c security
Laurent Leturgez
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
Stefan Oehrli
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
Stefan Oehrli
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
Stefan Oehrli
 
configuring+oracle+rds+with+glasfish+server
configuring+oracle+rds+with+glasfish+serverconfiguring+oracle+rds+with+glasfish+server
configuring+oracle+rds+with+glasfish+server
hunghtc83
 
Aioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_featuresAioug vizag oracle12c_new_features
Aioug vizag oracle12c_new_features
AiougVizagChapter
 
DOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon SecurityDOAG 2016 Oracle Logon Security
DOAG 2016 Oracle Logon Security
Loopback.ORG
 
Always encrypted overview
Always encrypted overviewAlways encrypted overview
Always encrypted overview
SolidQ
 
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
Alex Zaballa
 
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
Securing oracle e-business suite 12.1 and 12.2 technology infrastructureSecuring oracle e-business suite 12.1 and 12.2 technology infrastructure
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
vasuballa
 
12c Database new features
12c Database new features12c Database new features
12c Database new features
Sandeep Redkar
 
State of The Dolphin - May 2021
State of The Dolphin - May 2021State of The Dolphin - May 2021
State of The Dolphin - May 2021
Frederic Descamps
 
DOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security ReloadedDOAG Security Day 2016 Enterprise Security Reloaded
DOAG Security Day 2016 Enterprise Security Reloaded
Loopback.ORG
 
Les nouveautés de MySQL 8.0
Les nouveautés de MySQL 8.0Les nouveautés de MySQL 8.0
Les nouveautés de MySQL 8.0
Frederic Descamps
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server data
Colin Charles
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c security
Laurent Leturgez
 
Ibm db2 case study
Ibm db2 case studyIbm db2 case study
Ibm db2 case study
Ishvitha Badhri
 
Oracle DBA Configuring network environment
Oracle DBA Configuring network environmentOracle DBA Configuring network environment
Oracle DBA Configuring network environment
pshankarnarayan
 
Configuración de la Red de DB Oracle 11g
Configuración de la Red de DB Oracle 11gConfiguración de la Red de DB Oracle 11g
Configuración de la Red de DB Oracle 11g
188882
 
Oracle on AWS RDS Migration - 성기명
Oracle on AWS RDS Migration - 성기명Oracle on AWS RDS Migration - 성기명
Oracle on AWS RDS Migration - 성기명
AWSKRUG - AWS한국사용자모임
 
Improving oracle12c security
Improving oracle12c securityImproving oracle12c security
Improving oracle12c security
Laurent Leturgez
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database Vault
Stefan Oehrli
 
Ad

More from Stefan Oehrli (14)

OracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdfOracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdf
Stefan Oehrli
 
IaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABIaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LAB
Stefan Oehrli
 
SOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesSOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security Features
Stefan Oehrli
 
SOUG PDB Security, Isolation and DB Nest 20c
SOUG PDB Security, Isolation and DB Nest 20cSOUG PDB Security, Isolation and DB Nest 20c
SOUG PDB Security, Isolation and DB Nest 20c
Stefan Oehrli
 
Oracle Cloud deployment with Terraform
Oracle Cloud deployment with TerraformOracle Cloud deployment with Terraform
Oracle Cloud deployment with Terraform
Stefan Oehrli
 
DOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsDOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant Environments
Stefan Oehrli
 
SOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant DatabasesSOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant Databases
Stefan Oehrli
 
UKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesUKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle Databases
Stefan Oehrli
 
UKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityUKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and Security
Stefan Oehrli
 
Trivadis triCast Oracle Centrally Managed Users 18/19c
Trivadis triCast Oracle Centrally Managed Users 18/19cTrivadis triCast Oracle Centrally Managed Users 18/19c
Trivadis triCast Oracle Centrally Managed Users 18/19c
Stefan Oehrli
 
Oracle und Docker
Oracle und DockerOracle und Docker
Oracle und Docker
Stefan Oehrli
 
Oracle and Docker
Oracle and DockerOracle and Docker
Oracle and Docker
Stefan Oehrli
 
AOUG 2019 Oracle Centrally Managed Users 18c / 19c
AOUG 2019 Oracle Centrally Managed Users 18c / 19cAOUG 2019 Oracle Centrally Managed Users 18c / 19c
AOUG 2019 Oracle Centrally Managed Users 18c / 19c
Stefan Oehrli
 
DOAG Webinar Oracle und Docker
DOAG Webinar Oracle und DockerDOAG Webinar Oracle und Docker
DOAG Webinar Oracle und Docker
Stefan Oehrli
 
OracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdfOracleBeer_Terraform_soe.pdf
OracleBeer_Terraform_soe.pdf
Stefan Oehrli
 
IaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABIaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LAB
Stefan Oehrli
 
SOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesSOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security Features
Stefan Oehrli
 
SOUG PDB Security, Isolation and DB Nest 20c
SOUG PDB Security, Isolation and DB Nest 20cSOUG PDB Security, Isolation and DB Nest 20c
SOUG PDB Security, Isolation and DB Nest 20c
Stefan Oehrli
 
Oracle Cloud deployment with Terraform
Oracle Cloud deployment with TerraformOracle Cloud deployment with Terraform
Oracle Cloud deployment with Terraform
Stefan Oehrli
 
DOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsDOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant Environments
Stefan Oehrli
 
SOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant DatabasesSOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant Databases
Stefan Oehrli
 
UKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesUKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle Databases
Stefan Oehrli
 
UKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityUKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and Security
Stefan Oehrli
 
Trivadis triCast Oracle Centrally Managed Users 18/19c
Trivadis triCast Oracle Centrally Managed Users 18/19cTrivadis triCast Oracle Centrally Managed Users 18/19c
Trivadis triCast Oracle Centrally Managed Users 18/19c
Stefan Oehrli
 
Oracle und Docker
Oracle und DockerOracle und Docker
Oracle und Docker
Stefan Oehrli
 
Oracle and Docker
Oracle and DockerOracle and Docker
Oracle and Docker
Stefan Oehrli
 
AOUG 2019 Oracle Centrally Managed Users 18c / 19c
AOUG 2019 Oracle Centrally Managed Users 18c / 19cAOUG 2019 Oracle Centrally Managed Users 18c / 19c
AOUG 2019 Oracle Centrally Managed Users 18c / 19c
Stefan Oehrli
 
DOAG Webinar Oracle und Docker
DOAG Webinar Oracle und DockerDOAG Webinar Oracle und Docker
DOAG Webinar Oracle und Docker
Stefan Oehrli
 
Ad

Recently uploaded (20)

Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
Big Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur MorganBig Data Analytics Quick Research Guide by Arthur Morgan
Big Data Analytics Quick Research Guide by Arthur Morgan
Arthur Morgan
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
tecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdftecnologias de las primeras civilizaciones.pdf
tecnologias de las primeras civilizaciones.pdf
fjgm517
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
organizerofv
 
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxDevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
Justin Reock
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond SparkRusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Spark
carlyakerly1
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessGenerative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in Business
Dr. Tathagat Varma
 
2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx2025-05-Q4-2024-Investor-Presentation.pptx
2025-05-Q4-2024-Investor-Presentation.pptx
Samuele Fogagnolo
 
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)
Ortus Solutions, Corp
 

AUSOUG Oracle Password Security

  • 1. 1 11th November 2021 4.30 PM AEDT Security Best Practice: Oracle passwords, but secure! Stefan Oehrli Big Data/Analytics/Security/EPM & BI Summit Event Partners
  • 2. SECURITY BEST PRACTICE Oracle passwords, but secure!
  • 3. 3 HALLO, GRÜESSECH, HI! § Since 1997 active in various IT areas § More than 24 years of experience in Oracle databases § Focus: Protecting data and operating databases securely o Security assessments and reviews o Database security concepts and their implementation o Oracle Backup & Recovery concepts and troubleshooting o Oracle Enterprise User and Advanced Security, DB Vault, … o Oracle Directory Services § Co-author of the book The Oracle DBA (Hanser, 2016/07) STEFAN OEHRLI PLATFORM ARCHITECT
  • 4. 4
  • 6. 6 AGENDA § Introduction § Oracle Password Hashes § Oracle Logon Process § Challenges § Password Complexity § Good Practice § Conclusion
  • 8. 8 HOW MUCH SECURITY DO YOU NEED?
  • 9. 11 BUT HONESTLY, ARE PASSWORDS STILL AN ISSUE? § Password based authentication is still one of the most used methods → Flexibility § A large number of DB, Clients or Apps require legacy hashes / protocols → Compatibility § Password Verification Functions do not keep pace with CPU evolvements → Standards § The standards of the vendors are usually not the securest → Security Hardening § Software, hashes and protocols reveal security flaws over time Secure authentication is crucial, otherwise further security measures are questionable
  • 11. 13 WHAT IS A HASH FUNCTION? § Mathematical algorithm to map data of any size to a bit array of a fixed length § It is deterministic § Quick to compute hash for any given message § One-way function § Infeasible to generate a message that yields a given hash value § Infeasible to find two different messages with the same hash value → Collision § Known Cryptographic Hash Algorithms o MD5 o SHA-1 o SHA-2 i.e., SHA-256 and SHA-512
  • 12. 14 ORACLE PASSWORD HASH FUNCTIONS § Oracle 10g Hash Function o Based on DES and an Oracle specific algorithm o Case insensitive and weak password Salt => Username § MD5 based Hash Function o used for digest authentication in XDB § Oracle 11g Hash Function o Based on the SHA1 hash algorithm o SHA1 is no longer considered safe (since 2005 see Wikipedia SHA-1) o Supports case sensitive and multibyte character passwords § Oracle 12c Hash Function o based on a de-optimized algorithm involving PBKDF2 and SHA-512 o Supports case sensitive and multibyte character passwords § Recommendation: Only use Oracle 12c Hash Function
  • 13. 15 ORACLE 10G PASSWORD VERIFIER CREATE USER syste IDENTIFIED BY mmanager; User created. ALTER USER system IDENTIFIED BY manager; User altered. SELECT name, password FROM sys.user$ WHERE name LIKE 'SYSTE%'; USERNAME PASSWORD ------------------------------ ------------------------------ SYSTEM D4DF7931AB130E37 SYSTE D4DF7931AB130E37 § Passwords of local users are stored as 8-byte password hashes in base table SYS.USER$ § This algorithm has several weaknesses 1. Weak password salt => user namey
  • 14. 16 ORACLE 10G PASSWORD VERIFIER ALTER USER system IDENTIFIED BY ManAger; User altered. SELECT name, password FROM sys.user$ WHERE name LIKE 'SYSTEM'; USERNAME PASSWORD ------------------------------ ------------------------------ SYSTEM D4DF7931AB130E37 § This algorithm has several weaknesses 2. Not case sensitive 3. Based on a legacy and proprietary hash function
  • 15. 17 ORACLE 10G PASSWORD ALGORITHM Weak Hash Algorithm 1. Associate the user with the password to a clear text string 2. Convert clear text to upper case letters 3. Convert clear text to a Unicode string 4. Encryption of the clear text with DES CBC and a fixed key 0x0123456789ABCDEF If necessary the clear text 0 is padded to the next even block 5. Additional encryption of the clear text with DES CBC Here the last block of step 4 is used as the key. The last block is then used as the hash value
  • 16. 18 EXAMPLE ORACLE 10G PASSWORD ALGORITHM Username : system Password : manager - STEP 1 ---------------------------------------------------------- Salted String : systemmanager - STEP 2 ---------------------------------------------------------- Upper String : SYSTEMMANAGER - STEP 3 ---------------------------------------------------------- Unicode String : 00530059005300540045004D004D0041004E0041004700450052 - STEP 4 ---------------------------------------------------------- 1st Key : 0123456789ABCDEF 1st Hash value : 643624EDC5FEA9B402B0B017E7CB7DB713108AC1914E984FE2EDDFE949A0C3C1 - STEP 5 --------------------------------------------------------- 2nd Key : E2EDDFE949A0C3C1 2nd Hash Value : A2295A85F9B413C2D2B25971D5199A0BA6C4C6035A4906B2D4DF7931AB130E37 Password Hash : D4DF7931AB130E37
  • 17. 19 ORACLE 11G PASSWORD VERIFIER SELECT name, regexp_substr(spare4,'((S:.+);|(S:.+))',1,1,'i’,1) HASH FROM user$ WHERE name='TEST’; NAME HASH ---------- -------------------------------------------------------------- TEST S:885B3ACB933CCBEF42DA4455BC4F1597E823F144A37F22B76F48F0CFFC52 § Based on SHA-1 and supports Case Sensitive and Multibyte Character Passwords Actually everything that your character set offers But special characters requires quotes e.g. " " § Password hash is stored in column SPARE4 in base table SYS.USER$ Hash value does have the prefix S: sys.user$spare4 = SHA1(pwd concat with salt) concat with salt § The hash function is a simple SHA-1 function
  • 18. 20 EXAMPLE ORACLE 11G PASSWORD ALGORITHM ALTER USER test IDENTIFIED BY Welcome1; SELECT name, substr(regexp_substr(spare4,'((S:.+);|(S:.+));',1,1,'i',1), 1,40 ) HASH, substr(regexp_substr(spare4,'((S:.+);|(S:.+));',1,1,'i',1), 41) SALT FROM user$ WHERE name='TEST’; NAME HASH SALT ---------- ---------------------------------------- -------------------- TEST 885B3ACB933CCBEF42DA4455BC4F1597E823F144 A37F22B76F48F0CFFC52 SELECT sys.dbms_crypto.hash(utl_raw.cast_to_raw('Welcome1')|| hextoraw('A37F22B76F48F0CFFC52'),3) HASH FROM dual; HASH ---------------------------------------- 885B3ACB933CCBEF42DA4455BC4F1597E823F144
  • 19. 21 ORACLE 12C PASSWORD VERIFIER SELECT name, regexp_substr(spare4,'((T:.+);|(T:.+))',1,1,'i',1) HASH FROM user$ WHERE name='TEST'; NAME HASH ----- -------------------------------------------------------------------- TEST T:1902FCD14B0096A5F6E44E2C0B87747911879173740A0FC8D8D346532731FE46A2 72123A0C53D79BDF26AB4FABAEEEF2964DEAE00B4626696C6CBE2ABEF753006B8D0E 3DFA2CB0480115E8457AE954E6 § Based on a de-optimized algorithm involving PBKDF2 and SHA-512 o See Oracle® Database Security Guide 19c About the 12C Version of the Password Hash § Supports Case Sensitive and Multibyte Character Passwords § Password hash is stored in column SPARE4 in base table SYS.USER$ o Hash value does have the prefix T: § Oracle 12c Password Hash is supported by Client / Server Oracle Release 11.2.0.3
  • 20. 22 WHICH PASSWORD VERIFIER IS AVAILABLE SELECT username,password_versions FROM dba_users WHERE username LIKE 'USER_%' ORDER BY 1; USERNAME PASSWORD_VERSIONS ------------------------- ----------------- USER_10G 10G USER_11G 11G USER_12C 12C USER_ALL 10G 11G 12C § Query PASSWORD_VERSIONS from DBA_USERS § Effective hash values stored in USER$ o Oracle 10g Hash column PASSWORD o Oracle 11g Hash column SPARE4 Prefix S: o Oracle 12c Hash column SPARE4 Prefix T:
  • 22. 24 ORACLE LOGON PROCESS § Establish initial connection i.e. TNS name resolution, connection request to listener, etc. § Negotiate session- and optional encryption keys § Initiate authentication either ... o Password base for DB, CMU, EUS, Proxy or orapwd file authentication o External / OS based for OS, Kerberos, Radius, SSL or admin privileges e.g. SYSDBA § Password based authentication is always done on the DB i.e. password hashes have to be available to the database o SYS.USER$ or orapwd file o EUS/CMU relevant LDAP attributes e.g. userPassword, orclCommonAttribute
  • 23. 25 ORACLE LOGIN PROCESS O3LOGON/O5LOGON Client sends user name • Database fetches password hash from SYS.USER$ • Generates session key (random) • Encrypts key with hash • Generates hash from password • Decrypts session key • Encrypts password with session key • Decrypts password with session key • Generates password hash with this • Compares hash with SYS.USER$ • Sends result Login successful? User name Status Password (encrypt.) Session Key / Salt
  • 24. 26 AUTHENTICATION PROTOCOL § Login protocol is defined by the sqlnet.ora configuration o SQLNET.ALLOWED_LOGON_VERSION_SERVER (default 12) o SQLNET.ALLOWED_LOGON_VERSION_CLIENT (default 11) § Here "version" refers to the version of the login protocol, not the database version § Appropriate password versions / hashes must be available o See DBA_USERS.PASSWORD_VERSIONS § Default value of ALLOWED_LOGON_VERSION_SERVER o Up to Oracle 12.1.0.2 => 8 all hashes are created o From Oracle 12.2.0.1 => 12 only 11c and 12c hashes are created § Recommended setting for ALLOWED_LOGON_VERSION_SERVER is 12a o Only the 12c Password Verifier is used
  • 25. 27 OVERVIEW AUTHENTICATION PROTOCOL § Authentication Registration protocols version and the limitations / capabilities o ALV = SQLNET.ALLOWED_LOGON_VERSION_SERVER/CLIENT ALV Password Version Client ability Meaning 12a 12c O7L_MR Only Oracle 12.1.0x clients 12 11g, 12c O7L_NP Only clients with CPUOct 2012 11 10g, 11g, 12c O5L Oracle 10g and later, DBs older than 11.2.0.3 or without CPUOct 2012 must use 10g passwords 10 10g, 11g, 12c O5L 9 10g, 11g, 12c O4L Oracle 9i and newer 8 10g, 11g, 12c O3L Oracle 8i and older
  • 27. 29 PROTOCOL AND PASSWORD HASHES SQL> ALTER USER scott IDENTIFIED BY values 'S:22D8239017006EBDE054108BF367F225B5E731D12C91A3BEB31FA28D4A38'; § Corresponding password versions / hashes must be available o See DBA_USERS.PASSWORD_VERSIONS § If the version is not greater/equal, the connection is terminated o ORA-28040: No matching authentication protocol § If the corresponding hash is missing, the connection is terminated o ORA-01017: invalid username/password; logon denied § By setting/deleting the corresponding hashes, you can indirectly control which logon protocol is used
  • 28. 30 WEAKNESSES IN THE PASSWORD SYSTEM § Password hashes are all over the place o Not everywhere, but in enough places o Miscellaneous base tables in the data dictionary o orapwd file used for remote login as administrative user § If the hashes are known, dictionary, rule or brute force based attacks are possible § Limitation and vulnerabilities of password hash functions o E.g. known hash collisions § Character restriction (no upper/lower case up to and including Oracle 10g, in principle no special characters allowed) o Partial compatibility problems with different tools
  • 29. 31 RISKS OF THE ORACLE LOGIN PROCESS § Is the login process secure? § User name passes through the network unencrypted § But no password, no password hash § Password is automatically encrypted between client and server via AES § If password hash known, session key could be decrypted § Vulnerability found for password verifier using SHA-1 in October 2012 o Security vulnerability in login process CVE-2012-3137 o Clients and servers need to be patched and password reset o Information in MOS Note 1492721.1 and 1493990.1 o Hint: Every Client which is not patched or using legacy logon process is still affected from this vulnerability
  • 30. 32 CONFIGURATION – ORA-01017 OR ORA-28040 § False Configurations can lead to issues, mostly to ORA-01017 or ORA-28040 o E.g. set SEC_CASE_SENSITIVE_LOGON=FALSE and ALLOWED_LOGON_VERSION_SERVER>=12 § Database Migrations using expdp/impdp import users as they are o Can lead to wrong / missing password verifiers o Source DB has only 10g hashes but target requires 11g or 12c password verifiers o MOS Note 2289453.1 ORA-39384 Warning: User <USERNAME> Has been locked … o Post by Mike Dietrich What happens to PASSWORD_VERSIONS during an upgrade to Oracle 12.2? § Applications limiting password character pool o Some applications cannot handle certain special characters, umlauts etc. o $ " @ # can be challenging to escape properly § Client Libraries (OCI, JDBC,…) not coping with new hash algorithms o Legacy issue from Oracle 10g to 11g transition o Client occasionally simply converted the password to uppercase
  • 32. 34 PASSWORD PROFILES § Since Oracle8 it is possible to create password profiles and assign them to users § Password profiles define the criteria for passwords o complexity with a password check function o Number of incorrect logins, number, lock and grace time o Validity period of passwords o Password history § Oracle provides a script utlpwdmg.sql to configure password profiles and functions o The script is updated with every Oracle release o The script is not executed depending on the Release / Create method o It includes profiles based on CIS and Database STIG recommendations § Password verification function can be created using Oracle functions: o ora_string_distance Calculation of the difference between two strings according to the Levenshtein distance o ora_complexity_check Checking the password complexity of a string
  • 33. 35 GOOD IDEA TO SPECIFY COMPLEXITY RULES? Example Password Rule § Password with digits, upper and lower case letters § 8-character password length § At least 1 capital letter § At least 1 lower case letter § At least 1 digit The Problem § Number of characters 26+26+10=62 § Combinations for 8-character password 628 § Minus the special cases: o Digits only 108 o Letters only 528 o Upper and lower case only 268 + 268 About a quarter less combinations! Effective Combinations 75.32% Digits only 0% Upper case only 0.10% Lower case only 0.10% Characters only 24.48% PASSWORDS
  • 34. 36 BUT WHAT ARE GOOD PASSWORDS? Not easy to answer anyway, if there is an answer at least. A few principles and good practices: § Passwords must be easy to “remember” either by you or your password manager § Pool of unique characters should be as large as possible ... and feasible J § Maximum manageable length should be selected o The longer, the better J § Password should not be based on common words, names or know passwords i.e. password dictionary § Do not follow any obvious rules § Password should have high entropy
  • 35. 37 PASSWORD ENTROPY § Entropy is a measurement of how unpredictable a password 𝐸 = 𝐿𝑜𝑔! 𝑅" o 𝑅" = number of possible passwords o E = password entropy in bits o R = pool of unique character o L = number of character i.e. password length § Entropy for the example before 𝐸 = 𝐿𝑜𝑔! 62# = 47.6 bits § Today's GPU can calculate several million hashes per second o MacBook Pro 2020 400MH/s for Oracle 10g o 36 - 59 bits used to be reasonable secure § Safe Password? It depends… o … on how the password is generated (random is not always that random) o … on a possible attack method e.g. Welcome1 meets the password rule
  • 36. 38 EXAMPLE STRONG PASSWORDS Source: xkcd https://xkcd.com/936
  • 37. 39 CHECK THE PASSWORDS! SELECT username FROM dba_users_with_defpwd; USERNAME ---------- CTXSYS SCOTT § The view DBA_USERS_WITH_DEFPWD can be used to easily check whether the default passwords of users created by Oracle have been changed § Alternative checking of the known hash with appropriate tools o DBMS_CRYPTO to calculate the hash manually o Password Crack Tools like Hashcat, John the Ripper and others
  • 38. 40 PASSWORD VERIFICATION USING TOOLS § Tools Hashcat and John the Ripper do support a wide range of known password hashes o Including all hash functions used by Oracle e.g. 10g, 11g, 12c § GPU power is a crucial factor when calculating hash values o Tools do use CPU and GPU to calculate hashes where GPU o Whereby GPU are faster by factors § Different attack methods are possible: o Dictionary based – testing passwords from wordlist e.g. 5-10 Mio o Rule based – Extend wordlist by rules e.g. flip chars, add numbers etc. o Brute force – Calculate every combination out of a character pool § The tools are basically free and publicly available o Relatively well documented and No darknet experience required J § The use might be illegal depending on country and region o Depends on the purpose of use
  • 39. 41 WHAT IS POSSIBLE – MACBOOK PRO 2018 hashcat --benchmark --hash-type 3100 -D 1,2,3 hashcat (v6.1.1) starting in benchmark mode... OpenCL API (OpenCL 1.2 (Oct 29 2020 19:50:08)) - Platform #1 [Apple] ==================================================================== * Device #1: Intel(R) Core(TM) i9-8950HK CPU @ 2.90GHz, 32704/32768 MB * Device #2: Intel(R) UHD Graphics 630, 1472/1536 MB (384 MB allocatable), 24MCU * Device #3: AMD Radeon Pro 560X Compute Engine, 4032/4096 MB (1024 MB allocatable), 16MCU Hashmode: 3100 - Oracle H: Type (Oracle 7+) Speed.#1.........: 11719.5 kH/s (66.85ms) @ Accel:128 Loops:512 Thr:1 Vec:4 Speed.#2.........: 4423.3 kH/s (85.02ms) @ Accel:128 Loops:16 Thr:8 Vec:1 Speed.#3.........: 117.8 MH/s (67.33ms) @ Accel:128 Loops:64 Thr:64 Vec:1 Speed.#*.........: 133.9 MH/s § Simple Hashcat benchmark for the Oracle 7+ hashes i.e. 10g password verifier
  • 40. 42 WHAT IS POSSIBLE – MACBOOK PRO 2020 hashcat --benchmark --hash-type 3100 -D 1,2,3 hashcat (v6.1.1) starting in benchmark mode... OpenCL API (OpenCL 1.2 (Jun 8 2020 17:36:15)) - Platform #1 [Apple] ==================================================================== * Device #1: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz, 65472/65536 MB * Device #2: Intel(R) UHD Graphics 630, 1472/1536 MB (384 MB allocatable), 24MCU * Device #3: AMD Radeon Pro 5500M Compute Engine, 8112/8176 MB (2044 MB allocatable), 24MCU Hashmode: 3100 - Oracle H: Type (Oracle 7+) Speed.#1.........: 8891.4 kH/s (58.73ms) @ Accel:32 Loops:1024 Thr:1 Vec:4 Speed.#2.........: 4653.3 kH/s (78.22ms) @ Accel:4 Loops:512 Thr:8 Vec:1 Speed.#3.........: 400.4 MH/s (61.61ms) @ Accel:256 Loops:64 Thr:64 Vec:1 Speed.#*.........: 414.0 MH/s § Simple Hashcat benchmark for the Oracle 7+ hashes i.e. 10g password verifier
  • 41. 43 WHAT IS GENERALLY POSSIBLE? Performance for other hash values differs Power of my MacBook pro not enough? § No need to rent a Cray-2 § Just buy a decent graphic card or two i.e., for game not office usage J § Set up a compute instance in a cloud o All cloud vendors have options for GPU support Hash Type MB Pro 2018 MB Pro 2020 Nvidia GTX 1080 TI MD5 4’921.4 MH/s 11’240.0 MH/s 31’103.4 MH/s SHA-1 1’783.2 MH/s 4’296.9 MH/s 11’374.1 MH/s Oracle 7+ 133.9 MH/s 414.0 MH/s 1’320.0 MH/s Oracle 11+ 1’766.6 MH/s 4’283.2 MH/s 11’222.5 MH/s Oracle 12+ 4390 H/s 3698 H/s 150.2 kH/s
  • 43. 45 GOOD PRACTICE Keep your Oracle Clients and Server up to date § Stay updated by following Critical Patch Updates, Security Alerts and Bulletins § Install security fixes in a reasonable time frame Consider using strong Authentication § Kerberos and SSL based Authentication Don’t use legacy password verifier § Use Oracle password file version 12.2 § Explicitly configure ALLOWED_LOGON_VERSION_SERVER to 12a and exclusively use 12c hash values § Start using PBKDF2 SHA-512 for directory-based password authentication with EUS and CMU § Art. 32 GDPR Security of processing MD5, SHA-1 and Oracle 10g password verifiers are definitely not state of the art any more
  • 44. 46 GOOD PRACTICE Revise your password policies § NIST, CIS, STIG and other standards are continuously adjusted § Does the complexity rule still make sense or does it just reduce the amount of possibilities User awareness training § Make sure your user know the principle of good and bad § Use of phase phrase rather than password
  • 45. 47 GOOD PRACTICE Reduce the attack vector § Limit access to password hash values o e.g., password files, SYS.USER$ and other base tables § Know where you have password hash values o e.g., in application tables § Implement general database hardening o Oracle Database Lockdown o Oracle® Database Security Guide 19c o CIS Oracle Database Benchmark 19c o DoD Oracle Database 12c STIG - Ver 1, Rel 18 § Once again training of security awareness…
  • 47. 49 CONCLUSION § There is no absolute security nor secure passwords o Computing power evolves § Revise your password rule § Keep software up to date o That means server and clients § Don’t use legacy configuration o 10g/11g hashes o SEC_CASE_SENSITIVE_LOGON § Consider using strong authentication o Kerberos or SSL Source: xkcd https://xkcd.com/538
  • 48. TOGETHER WE ARE #1 PARTNER FOR BUSINESSES TO HARNESS THE POWER OF DATA FOR A SMARTER LIFE
  • 49. 51 GOODBYE… § E-Mail [email protected] § LinkedIn https://www.linkedin.com/in/stefanoehrli/ § Blog www.oradba.ch § Twitter @stefanoehrli STEFAN OEHRLI PLATFORM ARCHITECT