[转载]An Assessment of the Oracle Password Hashing Algorithm

原始连接：http://www.sans.org/rr/special/index.php?id=oracle_pass

In this paper the authors examine the mechanism used in Oracle databases for protecting users' passwords. We review the algorithm used for generating password hashes, and show that the current mechanism presents a number of weaknesses, making it straightforward for an attacker with limited resources to recover a user's plaintext password from the hashed value. We also describe how to implement a password recovery tool using off-the-shelf software. We conclude by discussing some possible attack vectors and recommendations to mitigate this risk.