Oracle Security Check

A default installation of Oracle may not provide a totally secure system out of the box. The installer must remember to change any default account passwords once the installation has been completed.

This application will scan an Oracle instance and will check current accounts against a list of known default usernames and passwords. This application shows how easy it is to check for some common installation vulnerabilities.

Checking for Known Passwords

The easiest way to access an Oracle database is by using a combination of known default usernames and passwords. There are a large number of these accounts with known default credentials. These default accounts will not be installed in most databases, but a few key ones will be installed along with any others that privileged users have installed as part of adding examples or additional database features.

A second method of accessing a database is by trying combinations of usernames and passwords where the password has been set to the same value as the username. This is a common practice when many databases are first set up. Oracle Security Check will get a list of all users on the system and try and login as that user.

Caution

If you have a very large number of users defined in your database, please check the database parameters for "processes" and "sessions" to make sure they are set to a value larger than the number of users. Otherwise, the security check utility could allocate too many sessions as it checks the security of your database.