Skip to Main Content
  • Questions
  • Password Security During Logins in 2021

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, John.

Asked: April 14, 2021 - 11:45 am UTC

Last updated: April 19, 2021 - 5:48 am UTC

Version: 19c

Viewed 100+ times

You Asked

Greetings,

I have a few questions regarding how Oracle by default encrypts the password when sent to the Oracle databases. ( https://asktom.oracle.com/pls/apex/asktom.search?tag=password-security-during-logins&p_session=117601880297172 )

First, please confirm that Oracle by default also encrypts the password when the client uses a JDBC thin client to connect to the databases.

Second, what kind of encryption algorithm (AES128, DES, etc.) does it use?

Third, why doesn't the default encryption of passwords require the complexity of setting up SSL encryption for data in motion? The complexity I am referring to is the need to create various server and client certificates ( CA certificate, self signed, pass it to through SHA-2 algorithm), create wallets and setup several sqlnet.ora parameters on both client and server?

Forth, do you think it is a good idea for Oracle Oracle to provide a simple on/off option to turn on the same default password encryption but for all data in motion?

Lastly, if Oracle encrypts the password automatically, why does Oracle provide this document: "Step by Step Guide To Configure SSL Authentication (Doc ID 736510.1)?" "This article describes how to configure and use the Secure Sockets Layer (SSL) for Oracle Database User Authentication." If Oracle encrypts the password by default, then Oracle providing the document seems unnecessary.

Thanks for your valuable insights.

John

and we said...

Encryption depends on version. If memory serves (so don't take these as gospel)

For thick clients, I *think* it is

- pre v7, possibly no encryption, ah...the good ol' days where we trusted everyone :-))
- v7-v10, DES
- v11, SHA1
- v12 onwards SHA2

For thin clients, I *think* it is AES.

In any event, a lot of things have evolved over time, so its not just a case of sending a password over the line. Nowadays, there is a length set of exchanges between client and the server, passing around hashes and keys etc.

So if we're doing all of that ... two questions come up:

1) why would we need SSL authentication ?

Notice in the document you reference, we are not explicitly including the password in our connection strings. Our apps etc no longer need to provide it because its stored in a wallet. Also, everything about the connection request (username etc) will be over SSL. That's a benefit.

2) why would we need SSL elsewhere ?

Because that is JUST for authentication. What about

- set role identified by mypassword
- create user identified by mypassword
- select CREDIT_CARD from PERSON

etc etc...

Rating

  (1 rating)

Comments

John, April 15, 2021 - 11:33 am UTC

Thank you, Connor, for taking the time to answer my questions.

I wasn't clear enough with one of my questions. First, you have confirmed that Oracle will encrypt the passwords sent from the client to the server by default. This means that the DBA didn't have to setup wallets with certificates and setup various SQLNET parameters for this to happen. It happens right out of the box which is a great idea! However, it seems like it would be a great idea for Oracle to also encrypt by default all of the data ( authentication, SQL calls, database data) it sends back and forth right out of the box. It takes a significant amount of work to setup wallets with CA certificates encrypted at an appropriate level and setup of various SSL/TLS parameters on all of the application clients. The world has way too many people who know about the weaknesses in IT. What are your thoughts as to why Oracle just doesn't encrypt all data by default instead of just the passwords?

Thank you

Connor McDonald
April 19, 2021 - 5:48 am UTC

What are your thoughts as to why Oracle just doesn't encrypt all data by default instead of just the passwords?


That typically incurs a CPU cost and a network cost.

If we forced it, people that didn't need it would complain about that we're hurting their servers :-)

More to Explore

Design

New to good database design? Check out Chris Saxon's full fundamentals class.