A hacker using few resources could exploit weaknesses in Oracle databases to recover passwords, two security researchers concluded in a recent paper.
The study, written by Joshua Wright of the SANS Institute and Carlos Cid of the Information Security Group at Royal Holloway College, University of London, illustrated how it was possible to gain passwords in a little over four minutes using a hacking technique. Oracle was informed of the vulnerability in July but has not responded, according to SANS.
Passwords are usually protected by changing them into a number using a one-way algorithm, called hashing. That figure is compared to a password table of those values, according to the study. Another random value, called "salt," is added to the number.
The study found that Oracle databases suffered from weak password salt selection and a weak hashing algorithm. The Oracle password hashing mechanism also converted a user's password to all uppercase letters before converting to the password hash, reducing the number of potential passwords--another significant weakness--the study said.
To capture the password hashes, a malicious hacker could potentially capture unencrypted network traffic or exploit vulnerabilities in Web applications that inadvertently allow the execution of malicious SQL (structured query language) commands sent through a Web address. With local access to the operating system of the database, a hacker could also use a Unix strings utility to locate password hashes and user names, the study said.
After recovering one or more user names and password hashes, the hacker could use the details of the hashing algorithm to recover other user passwords, the paper said.
To protect password hashes, the study recommended enforcing a minimum 12-character password length that expires after 60 days in addition to auditing users' password selection to identify weak ones. It also recommended encrypting network traffic and restricting access to Web applications and password hashes by database users.
Oracle officials were not immediately available for comment.