Oracle: Policies can protect passwords

In response to criticism published by two researchers last week that the protection mechanism for Oracle database user passwords is weak, Oracle is reminding users to apply good password protection policies.

"We feel strongly that the issues noted in the paper can be addressed through good password policy management, which dramatically reduces the inherent security risks associated with any password-based authentication system, and through use of security features included with the Oracle database, such as facilities to enforce password complexity, account lockout after multiple login failures and password expiration," Oracle said in a statement sent via e-mail late Friday.

The experts called on the software maker to improve the mechanism used to secure passwords for database users. They said they found a way to recover the plain text password from even very strong, well-written Oracle database passwords within minutes. (Download PDF of their paper.)

"The paper published by SANS exposes the location in the Oracle data dictionary where the Oracle password hashes are stored. By default, access to this table is restricted to a limited number of highly privileged database users," Oracle said. "Good enterprise password policies will dramatically reduce the inherent security risks associated with any password-based authentication system."

The database password security is the latest critique of Oracle's security practices. The software maker is also under fire for tardiness in patching security flaws and delivering faulty security updates.