Handling vulnerabilities in databases

In the current (February, 2011) issue of Security Management Practices, Fran Howarth cites TechTarget when he writes about five of the most common vulnerabilities affecting databases. The first vulnerability he mentions is poor password policies. The other four are SQL injection, cross-site scripting, data leakage (mostly concerning physical  security), and improper error handling. The first vulnerability, though, is poor password policies. He writes: 

Poor password policies—one of the key methods that attacks use against databases is to exploit the widespread use of default user account names and passwords. Weak passwords are also a common problem.  To solve these problems, a strong password policy should be enforced, using longer and complex passwords, and requiring that these are changed regularly. In many organizations, passwords are also shared among administrators, making it impossible to discover who perpetrated a particular action. All privileged users with access to sensitive information in databases should be required to use their own passwords. In some organizations, such users are provided with two access accounts—one for everyday use and another for administrative tasks that require the highest privileges. 

I have my doubts on how much changing passwords regularly helps. The writer at http://isc.sans.edu/diary.html?storyid=7510 puts it best when he says 

Forcing a user who had a weak password to change it will just make him pick another weak one. Forcing a user who had a very strong password to change it will eventually annoy the user into using simpler passwords.

I will leave you with the conclusion at  gfi http://www.gfi.com/blog/security-vs-productivity-in-the-workplace/

What I would suggest to anyone working to create a secure environment is not to take industry “best practices” as obvious solutions, because in most cases they’re not, and might even be worse than doing nothing! Before taking any security measure, always think about whom it will affect, what its actual effect will be, and whether it’s the right thing to do. In IT security, there’s never a one-size-fits-all solution, and the best security schemes are tailor-made for that specific scenario.