Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
An Assessment of the Oracle Password Hashing Algorithm
Handler Joshua Wright and Dr. Carlos Cid from the Information Security Group at the Royal Holloway, University of London have published a paper describing the inner workings and vulnerabilities in the Oracle password hashing algorithm. A copy of the paper is available through the SANS Reading Room at

The authors findings indicates that the password hashing algorithm is weak, and subject to a number of attacks. If an attacker is able to obtain Oracle password hash information from a compromised system, hrough traffic sniffing, SQL injection or other attack vectors, they will likely be able to recover plaintext passwords with few resources, even when strong passwords are selected. The paper also recommendsseveral actions Oracle DBA's can take to help mitigate this threat.

The SANS Institute contacted the Oracle product security team about these findings on 7/12/2005. Subsequent requests for clarification on what Oracle plans to do to address these vulnerabilities have gone unanswered. Oracle customers are encouraged to communicate their desire to resolve these vulnerabilities through the appropriate channels. I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022


4346 Posts
ISC Handler
Oct 27th 2005

Sign Up for Free or Log In to start participating in the conversation!