Security Best Practice: Oracle passwords, but secure!
Today I held my presentation about Oracle security best practice “Oracle passwords, but secure!” at the virtual UKOUG event. Unfortunately, this year the beautiful view of Brighton beach and the active exchange with colleagues was missing. Ok, on the other hand I was able to enjoy the first snow in Switzerland with my children.
The following blog post is a summary of my presentation with some examples, notes, references and slides.
Oracle Password Hashes
The different Oracle Database releases do provide various password verifiers. Although the older password verifiers are no longer state of the art, they are still used relatively frequently. It is therefore essential to take the appropriate measures to make password-based authentication secure. Oracle currently offers the following password hash functions:
- Oracle 10g Hash Function based on DES and an Oracle specific algorithm. It is case insensitive and does use a weak password salt i.e. the username is used as salt.
- MD5 based Hash Function used for digest authentication in XDB
- Oracle 11g Hash Function based on the SHA1 hash algorithm. But since 2005 SHA1 is no longer considered as safe. The hash function does supports case sensitive and multibyte character passwords.
- Oracle 12c Hash Function based on a de-optimised algorithm involving PBKDF2 and SHA-512. It supports case sensitive and multibyte character passwords.
The different password verifiers can be controlled by
SQLNET.ALLOWED_LOGON_VERSION_CLIENT or by setting the passwords explicitly using
ALTER USER ... IDENTIFIED BY VALUES.
Create different users with different password verifiers
CREATE USER test_10g IDENTIFIED BY VALUES 'AF310E4D20D06950'; CREATE USER test_11g IDENTIFIED BY VALUES 'S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056'; CREATE USER test_12c IDENTIFIED BY VALUES 'T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0BE66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56F8C22291D417E26D4B810003F3F055EDFF'; CREATE USER test_all IDENTIFIED BY Welcome1;
In DBA_USERS you will see the different password versions
SET LINESIZE 160 PAGESIZE 200 COL username FOR a10 COL password_versions FOR a20 SELECT username, password_versions FROM dba_users WHERE username LIKE 'TEST_%'; USERNAME PASSWORD_VERSIONS ----------- -------------------- TEST_10G 10G TEST_11G 11G TEST_ALL 10G 11G 12C TEST_12C 12C
Or in USER$ you can find the corresponding hashes:
SET LINESIZE 160 PAGESIZE 200 COL name FOR a10 COL password FOR a16 COL spare4 FOR a64 SELECT name,password,spare4 FROM user$ WHERE name LIKE 'TEST_%' ORDER BY 1; NAME PASSWORD SPARE4 ---------- ---------------- ---------------------------------------------------------------- TEST_10G AF310E4D20D06950 TEST_11G S:6702B83E88D277BFC378AD6B22DD1AE01895A254470F8124A9D3C5347056 TEST_12C T:45738A7B75C9E31ED0C533BCF4931084658A143FD7CF826B980A88EA6C4F0B E66C28DA7085BCAE386723029BA967DC4F45E9C146F6FA7C22E44BA2C1BD2F56 F8C22291D417E26D4B810003F3F055EDFF TEST_ALL 4932A1B4C59EC3D0 S:ABF25107166264C8EAFE72BF02152DE17000F359CB5BAF21A6AF41477633;T :62FEE108652A56D940813F54EC72D1494ACAD99F2BBDD0A578BF1F97FAB4A7E B468A98B6B553E460DE21E57F6C35A930DEE027D20B33ED13D56EA0ECACB1CEA 94EEC8AC389561346052BB0BFF2C06647
Manually create a Oracle 10g password verifier:
SQL> @create_password_hash.sql system ieShae0 Username : system Password : ieShae0 Hash : 0AD56CF5F1CB8D2A SQL : alter user system identified by values '0AD56CF5F1CB8D2A'; PL/SQL procedure successfully completed.
Testing the Password Verifier
There are a couple of possibilities and tools to “verify” password hashes. Among the best known are the tools Hashcat and John the Ripper. These tools doe support a wide range of hashes as well attack methods. Below you find an example of a brute force attack for the Oracle hash we created above.
--incrementwill start to brute force with shorter length e.g 4 characters
-custom-charset1to define numbers and characters
-hash-typeOracle 7+ respectively password verifier 10g
--showshow the password
echo "0AD56CF5F1CB8D2A" >demo.hash hashcat --attack-mode 3 --increment --increment-min 4 --custom-charset1 ?l?d --hash-type 3100 ./demo.hash ?1?1?1?1?1?1?1 hashcat --hash-type 3100 ./demo.hash --show
Here are a few good practices on Oracle passwords.
- Keep your Oracle Clients and Server up to date. Stay updated by following Critical Patch Updates, Security Alerts and Bulletins. Install security fixes in a reasonable time frame
- Consider using strong Authentication like Kerberos and SSL based authentication.
- Don’t use legacy password verifier
- Use Oracle password file version 12.2
- Explicitly configure
ALLOWED_LOGON_VERSION_SERVERto 12a and exclusively use 12c hash values
- Start using PBKDF2 SHA-512 for directory-based password authentication with EUS and CMU
- Revise your password policies
- NIST, CIS, STIG and other standards are continuously adjusted.
- Does the complexity rule still make sense or does it just reduce the amount of possibilities.
- User awareness training. Make sure your user know the principle of good and bad Use of phase phrase rather than password
Slides of the UKOUG Presentation
Links and references related to this blog post
- GitHub Ghist with a few more notes Oracle Passwords but secure!
- Presentation on Slideshare
- create_password_hash.sql Calculate Oracle DES based password hash from username and password.
- verify_passwords.sql Check if user in
sys.user$has a weak DES based password. Base Script for verify_alluser_passwords.sql, verify_alluser_passwords_no.sql, verify_alluser_passwords_no.sql, verify_alluser_passwords_no.sql, verify_user_password.sql and verify_user_password_no.sql.
- HashCat advanced password recovery
- John the Ripper password cracker
- Oracle® Database Security Guide 19c
- Oracle® Database Advanced Security Guide 19c
- Oracle® Database Database Net Services Reference 19c