Threat Finder

Threat ID
6
Threat Date
08/06/2007
Threat Name
Easily-guessed database password
CVE Reference
CVE-NO-MATCH
CCE Reference
CCE-NO-MATCH
Risk
High
Database Type
Oracle
Category
Weak Passwords
Versions
All versions of Oracle
Summary
One of the common methods used to attack a database is to guess the passwords. This involves running a script that tries to connect to the database using all the words in a dictionary as passwords. If the password for the account is found in the dictionary, the account can be broken into by guessing the password.
Overview
Password attacks are used by less sophisticated hackers to brute-force their way into a database. A password attack is the equivalent of attempting to break the door down to break into a house - effective but not very subtle.

A password attack is performed by creating a script that rapidly takes the words from a dictionary and tries them one by one as the password for a user. If a user has chosen a password found in the dictionary, what we consider an easily-guessed password, the attacker will break into the database.

To run a password attack, the attacker must first have a username to attack. A username can be brute-forced by trying random common usernames or a default username such as SYS or SYSTEM can be used.

Another factor in the effectiveness of a password attack is how long the attacker has to perform the attack and how large the dictionary is. If the attacker has long enough, he or she can try every possible password combination and can break into an account even if the password is very hard to guess. Ideally a password should be chosen that would take longer to guess than for the password lifetime to expire. For instance, if your passwords expire every 90 days, your passwords should be designed to survive a password attack for up to 90 days.
References
VMSKey
V0015634
STIGID
DG0127

Additional information including fix script information is available in the licensed versions of Application Security's DbProtect and AppDetectivePro solutions.

Powered by