A default installation of Oracle may not provide a totally
secure system out of the box. The installer must remember
to change any default account passwords once the installation
has been completed.
This application will scan an Oracle instance and will check
current accounts against a list of known default usernames
and passwords. This application shows how easy it is to check
for some common installation vulnerabilities.
Checking for Known Passwords
The easiest way to access an Oracle database is by using a
combination of known default usernames and passwords. There
are a large number of these accounts with known default credentials.
These default accounts will not be installed in most databases,
but a few key ones will be installed along with any others
that privileged users have installed as part of adding examples
or additional database features.
A second method of accessing a database is by trying combinations
of usernames and passwords where the password has been set
to the same value as the username. This is a common practice
when many databases are first set up. Oracle Security Check
will get a list of all users on the system and try and login
as that user.
If you have a very large number of users defined in your database,
please check the database parameters for "processes"
and "sessions" to make sure they are set to a value
larger than the number of users. Otherwise, the security check
utility could allocate too many sessions as it checks the
security of your database.