Reply to post: Excellent work.

Password reset sites expose crackable PeopleSoft creds

JLV

Excellent work.

Some questions do come to mind. If by password recovery, you mean the user password recovery pages, does that mean we are talking about using PeopleSoft in stand-alone authentication mode, i.e. its own internal _User_ passwords?

Because it does make sense to hive off authentication to an LDAP server. And I am sure many sites do that. Now, that in no way excuses any of this, but is LDAP mode affected as well is what I'd like to know too.

As a dev with some admin skills on PS I have seen passwords imbedded in the app and wondered about the security implications thereof. Granted, lots of them seem to be somewhat single-purpose technical connection settings, but surely they are better locked down tightly anyways with no risk of privilege escalation somehow.

When you have lots of them used for different things in many moving parts with different technologies, chances are always that an overworked sysadmin doesn't catch, or isn't aware of, all of them. So a production system in which some types of passwords are still still set to the vanilla database? Not surprising at all. A checklist of things to lock down/reset would help.

Airing this out is a good thing. Just because ERP systems are not quite as widely used as consumer-facing tech or network tech doesn't mean that they don't need to be secure. Quite the opposite given their payload (imagine blackmailing a big corporation with a release of the everyone's pay for example).

I hope Oracle takes this in stride, displays some humility, plays nice, listens and... fixes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021