Oracle guru Jared Still (author of the
popular O'Reilly book "Perl for the Oracle DBA") has published
an excellent (and scary) overview of Oracle password
vulnerabilities on OraFAQ:
http://www.orafaq.com/articles/archives/000064.htm
Jared uses example code and arrives at these
important conclusions about Oracle password management:
It appears that if an attacker gains DBA level access to your
database either directly or indirectly there is a very good
chance that passwords may be collected from that database and
emailed directly to an anonymous email account.
Though there are some methods you may use to detect and
prevent this from taking place, they are not 100% effective. If
the attack comes from someone already entrusted with the
database, harvesting passwords becomes much more difficult to
prevent or detect.
Why would someone that already has DBA access to the database
need account passwords? This allows the insider to login to the
database as an account not associated with the DBA. Doing so
does not require saving the encrypted value of the password,
changing it temporarily and then changing it back to its
original value via alter user username identified by values 'encrypted_value_here',
which could be detected, especially in an account that logs in
frequently.
In addition to monitoring the hash value for the password
verification function you should consider wrapping the function
via the $ORACLE_HOME/bin/wrap function. This step will not stop
someone from completely replacing the function given the proper
access to the database, but it will prevent the modification of
the function by an attacker that does not have your source code.
The final solution to this probably lies in doing away with
the reliance on passwords altogether and using some form of
trusted external authentication, a topic for discussion at
another time.