I see that David Litchfield has posted a note on freelists titled " Re: Sniffing Oracle authentications " that describes the Oracle authentication mechanism and the fact that if you know the Oracle password hash then its possible to sniff the session key and wait for the encrypted password to be sent to the server. This means that even 30 character passwords using the complete keyspace are vulnerable to attack. David includes a C program to demonstrate this.This is a detailed discussion by David of the issue that was first covered by Ian Redfern in a paper titled " Oracle Protocol " that was up on the Logica site for a while before being pulled but the web archive has a copy. The example Perl program linked in this paper was there on the web archive for quite some time but this has now gone as well. The Perl program gave an example of how this protocol worked and hinted at this issue. I found the link via Peter K's blog where he also mentions that Paul Wright now has an Oracle security blog. I have added a link to his blog in my Oracle blogs aggregator