In response to the recent publication by Joshua Wright and Carlos Cid, entitled “An Assessment of the Oracle Password Hashing Algorithm“, Oracle has just sent out the following e-mail to its customers (I got it a few minutes ago):
Dear Oracle customer,
Oracle Global Product Security has investigated the recent publication by Joshua Wright of the SANS Institute, and Carlos Cid of the University of London’s Royal Holloway College, entitled “An Assessment of the Oracle Password Hashing Algorithm.” This paper presents an analysis of the Oracle Database password hashing algorithm. It describes potential attacks against this algorithm when an attacker has access to password hash information.
Oracle considers adherence to industry standard security practices the best way for customers to protect their database systems. In particular, issues noted in the paper can be addressed through limiting access to password hash information, and by enforcing good enterprise password policies. Moreover, Oracle customers have authentication options available which avoid the issues described in this paper.
A MetaLink note is now available that outlines the minimum essential steps customers should take to mitigate potential attacks against the password hashing mechanisms in the Oracle Databases. Customers who already follow industry standard security best practices, including those who have hardened or locked down their database systems, may still benefit from reviewing the MetaLink note.
The MetaLink Doc ID is 340240.1.
Oracle Global Product Security