Oracle has released a tool designed to ferret out commonly used default passwords that theoretically could be misused by hackers. Called the Oracle Default Password Scanner, the software was released Tuesday as part of Oracle's quarterly Critical Patch Update.
Earlier versions of Oracle's database software included well-known default passwords and user names, for example "scott / tiger" (http://www.oracle.com/technology/oramag/oracle/02-jul/o42schema.html). These accounts are also known to have been created by other software, such as application servers, that interact with the database, said Oracle Security Alerts Manager Darius Wiles.
Although these accounts have been locked down in current versions of the database, they may present a problem to some users with older versions of the database or to those who have upgraded from an older version that included the default passwords, he added.
Oracle 10g databases that have been upgraded from Oracle 7, Oracle8i, or Oracle9i may include the default accounts, according to a note accessible to subscribers of Oracle's MetaLink support service.
The password scanner is a SQL (Structured Query Language) script that scans the database and then prints out the names of these well-known accounts if they are unlocked, Wiles said. "This tool is designed to catch those instances and then explain to customers the right thing to do to secure their systems."
Subscribers MetaLink can find more information on the Default Password Scanner in MetaLink Note 361482.1.
More information on Oracle's Critical Patch Update can be found here: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html