| From: | "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
|---|---|
| To: | "Mark Mielke *EXTERN*" <mark(at)mark(dot)mielke(dot)cc>, "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "Dave Page" <dpage(at)pgadmin(dot)org>, "Marko Kreen" <markokr(at)gmail(dot)com>, "Andrew Dunstan" <andrew(at)dunslane(dot)net>, "mlortiz" <mlortiz(at)uci(dot)cu>, "Magnus Hagander" <magnus(at)hagander(dot)net>, "pgsql-hackers" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Rejecting weak passwords |
| Date: | 2009-10-15 14:38:00 |
| Message-ID: | D960CB61B694CF459DCFB4B0128514C203937FA3@exadv11.host.magwien.gv.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Mark Mielke wrote:
> Does Oracle really do password checks on the base SQL commands used to
> change an Oracle password? That sounds silly.
In Oracle you can write a stored procedure to check passwords;
it is invoked whenever a user is created or altered.
No matter how you change the password, Oracle can always recover
the plaintext and feed it to the password checking function.
So, unless you use the "Advanced Security" option (extra $$) that
enables you to encrypt network connections, any eavesdropper
with knowledge of Oracle's (secret) encryption algorithms can get
your new password when you change it.
And the DBA can get your password with ease.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dave Page | 2009-10-15 14:38:20 | Re: Client application name |
| Previous Message | Tom Lane | 2009-10-15 14:36:54 | Re: Trigger with WHEN clause (WIP) |