Also, don't forget to change default passwords to ALL default users - not only the "strong root password". If I recall correctly there are several such. Arvind Shyamsundar wrote: > > In-Reply-To: <20020805211834.GA11783@i-u.de> > > Hi, > In addition to securing the password in transit (which is very important) > one must not forget to secure it when it is stored in the DB. I am not > familiar with Oracle specifics, but the following general guidelines apply > to any DB: > - Never store the application password in cleartext. Ideally one stores > the hash of the password and compares the hash of the input password with > the one stored in the DB. > - Take special care not to log the application password in any debug or > error logs. This can totally compromise all other security measures you > have taken. > - Ensure minimum privileges and proper access control as regards the DB > itself. If the DB is open to all then the passwords stored in the DB are > liable to be compromised > - Ensure a strong root password for the DB, and make sure that the runtime > code uses a non-privileged user for operation. > - Consider not only your passwords, but passwords which you may use for > external web services or third party software interfaces. > > HTH, > > Arvind Shyamsundar > Brainbench MVP - Internet Security -- ( ______ )) .-- Scott MacKenzie; Dine' College IS --. >===<--. C|~~| (>--- Phone/Voice Mail: 928-724-6639 ---<) | = = |-' | | \--- Senior DBA/CARS Coordinator/Etc. --/ | _ | `--' `- Email: scottmat_private -' `-----'
This archive was generated by hypermail 2b30 : Wed Aug 07 2002 - 15:04:12 PDT