New Enhanced Password Security Features in  11g Oracle 11g New Features Tips by Burleson Consulting July 8, 2008

Oracle 11g SQL New Features Tips

Oracle has taken a great number of steps towards a more secure database with 11g by introducing new anti hacking features.

In the following section we will look at the most important security improvements.

First let’s see what the enhanced password features are good for.

Enhances hashing algorithm

The publication of the Oracle password hashing algorithm in October 2005 by the SANS institute started a new era of hacking attacks. If somebody could get hold of the hashes from the data dictionary and knew the hashing algorithm he/she could reverse engineer passwords of Oracle users.

Therefore Oracle has changed the view Remote DBA_users in 11g. It cannot be used to retrieve the hashed passwords any more.

LUTZ AS SYSRemote DBA @ orcl SQL> SELECT username, password FROM Remote DBA_users;

USERNAME                       PASSWORD
------------------------------ ------------------------------
MGMT_VIEW
SYS
SYSTEM
DBSNMP
SYSMAN
LUTZ1
LUTZ
L_SEC
LUT
OUTLN
FLOWS_FILES
ANONYMOUS
EXFSYS
WMSYS
XDB
FLOWS_030000
DIP
APEX_PUBLIC_USER
ORACLE_OCM
TSMSYS
XS$NULL

21 rows selected.

But still there is the threat of a passive attack which retrieves the username and hashes from outside the database by sniffing network packages. Such attacks are very difficult to detect.

In March 2007 two hackers published a paper with in detail information how a passive attack could be launched and how to crack passwords for Oracle user accounts on a hacker site called THC. They claimed to be able to crack any 8 digit Oracle password with a normal PC within maximum 41 days or even minutes if the password does not exceed a length of 6 characters.

% Oracle strongly recommends customers to use passwords with a minimum length             of 10 characters! 

In 10g and before Oracle used a hashing algorithm to create passwords which converted the password string to upper case and then encrypted it. It used the username as a seed for the encryption. This made it easy for somebody who knew how to reverse engineer to find out a password if he/she could get hold of a list with the usernames and the encrypted password strings.

Starting with the version 11g Oracle uses the more secure 160 bit hashing algorithm SHA-1 to encrypt a password which does not use the username for hashing. Passwords are salted which means that identical usernames and passwords create different hashes.

Always the encrypted password is sent through the network.

The column spare4 in the view sys.user$ returns the enhanced hashes.

LUTZ AS SYSRemote DBA @ orcl SQL> SELECT name, SPARE4 FROM sys.user$; 

NAME                           SPARE4
------------------------------ --------------------------------
SYS S:4C2155AAA66F2360470789ED3371EC6D7E677A21739DA379376573ADA06E
PUBLIC
CONNECT
RESOURCE
Remote DBA
SYSTEM S:287AB640295568BC2A68038DE0E72495D86AF48A0C29ACCBA1F8148080F7
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
OUTLN  S:3D4AE339C6E34FBFD59671A5BE9456E8D36EC9C05F94FF09799B44F0DDDA
EXP_FULL_DATABASE
IMP_FULL_DATABASE
LOGSTDBY_ADMINISTRATOR
DIP S:09737BB5C3C953E97FC66EA76E1219AA4ABC1D8929804B6A136E7257509C
TSMSYS  S:7ADDA4A0404C5FC5C868CAD4251B0DD5F08833E1342B514DFB5AC5DD6BA0
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
GATHER_SYSTEM_STATISTICS
ORACLE_OCM S:B99DA77F6710001D1B3681DD1E3DB68A8E78C924985AF6278DEF7DA93572
XRemote DBADMIN
RECOVERY_CATALOG_OWNER
SCHEDULER_ADMIN
HS_ADMIN_ROLE
GLOBAL_AQ_USER_ROLE
OEM_ADVISOR
OEM_MONITOR
DBSNMP      S:B29CB866BF7A73B0C74B70DF09DAF4B462D1AD4445118962BBDA96550161
WMSYS       S:15BDF5FE5FFE5DB12158AACE20681A568B251BFA01E07B91BFF1B76DEF74
WM_ADMIN_ROLE
JAVAUSERPRIV
JAVAIDPRIV
JAVASYSPRIV
JAVADEBUGPRIV
EJBCLIENT
JMXSERVER
JAVA_ADMIN
JAVA_DEPLOY
EXFSYS     S:7DCF3854E05D331F84F4656330AADFFCF7CD3E5C62822D943D9C52C29B7D
XDB        S:5F0CE0691D0049201Remote DBA7AFE207401BCA921A32E8BD4349A57EEA5DEB747
ANONYMOUS
XS$NULL    S:540B7513773DCA68ABE9E14E8DBC6CB03DC89C005C4B0844D655E69E442C
XDB_SET_INVOKER
AUTHENTICATEDUSER
XDB_WEBSERVICES
XDB_WEBSERVICES_WITH_PUBLIC
XDB_WEBSERVICES_OVER_HTTP
_NEXT_USER
SYSMAN     S:B9E055880876E2758725EBA09D350720B896E2C554225979A7145B77B7B7
MGMT_USER
MGMT_VIEW   S:39689CD0FB2793A01E9E70377BFA36E1FB4C8F240516AB1851840D4018DC
FLOWS_FILES S:54340332D71F4E3644D5CA2214277AD7DF2144405D2550D99ABB433F6495
APEX_PUBLIC_USER S:62326448860BEBC08BERemote DBABF051DE1A0994DC85A20331EE64242E2247C65
FLOWS_030000   S:BF187319591F4C1D5D6AEEEE17CB39C9F805EF2A3BFB400EF3CD04F47943
LUTZ           S:F2DFB72CB8966B0D5357A2306F3F8F6CE51DC63A6B93AE3B292A91940408

56 rows selected.

This is an excerpt from the new book Oracle 11g New Features: Expert Guide to the Important New Features by John Garmany, Steve Karam, Lutz Hartmann, V. J. Jain, Brian Carr. You can buy it direct from the publisher for 30% off.