Re: SQL*Net/Net8 and plain text passwords

> Oracle encrypts passwords by default. I believe this began wit SQL*NET 2.1.
> However, if you do not have the parameter, ORA_ENCRYPT_LOGIN,
> set to ,true, in the sqlnet.ora file of the client, then Oracle under
> certain circumstances, will send the password is plain text, after trying
> and failing with the encrypted password. There is also an init.ora
> parameter, DBLINK_ENCRYPT_LOGIN which controls this behavior on database
> links.
>
> The password will be sent in plain text between web browsers and your web
> server unless you have protected the ports via SSL.
>
> Ian MacGregor
> Stanford Linear Accelerator Center
> ian_at_slac.stanford.edu
> -----Original Message-----
> Sent: Friday, June 09, 2000 3:14 PM
> To: Multiple recipients of list ORACLE-L
>
>
> Hi fellow (this includes males and females) DBAs,
>
> I have an application that connects to an Oracle database via a Web
> Server, machine from is Unix or NT, and machine to can be Unix or NT.
>
> The customer's concern is passwords being sent over SQL*Net/Net8.
>
> I have reassured him that plain text passwords will not be sent over
>
> the network. I mentioned OS authentication, which I am sure will work.
> I am also sure that there is a Net parameter for encryption.
>
> Any ideas? I am @ home now after a long hard weeks work, with no
> documentation available, except on the laptop, and that is giving up
> the ghost.
>
> Any hints, tips. pointers, URL's, direct experience, even that it
> can't be done?
>
> Regards and TIA.
>
> Tony

Ian,

        Thanks a lot. I thought I was not going to get an answer from this group. Received on Sun Jun 11 2000 - 13:47:40 CDT