Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: SQL*Net/Net8 and plain text passwords

RE: SQL*Net/Net8 and plain text passwords

From: MacGregor, Ian A. <ian_at_SLAC.Stanford.EDU>
Date: Sun, 11 Jun 2000 11:37:49 -0700
Message-Id: <>

Oracle encrypts passwords by default. I believe this began wit SQL*NET 2.1. However, if you do not have the parameter, ORA_ENCRYPT_LOGIN, set to ,true, in the sqlnet.ora file of the client, then Oracle under certain circumstances, will send the password is plain text, after trying and failing with the encrypted password. There is also an init.ora parameter, DBLINK_ENCRYPT_LOGIN which controls this behavior on database links.

The password will be sent in plain text between web browsers and your web server unless you have protected the ports via SSL.

Ian MacGregor
Stanford Linear Accelerator Center
-----Original Message-----
From: Sherwin Anthony Sequeira [] Sent: Friday, June 09, 2000 3:14 PM
To: Multiple recipients of list ORACLE-L Subject: SQL*Net/Net8 and plain text passwords

Hi fellow (this includes males and females) DBAs,

        I have an application that connects to an Oracle database via a Web Server, machine from is Unix or NT, and machine to can be Unix or NT.

        The customer's concern is passwords being sent over SQL*Net/Net8.

        I have reassured him that plain text passwords will not be sent over

the network. I mentioned OS authentication, which I am sure will work.  I am also sure that there is a Net parameter for encryption.

        Any ideas? I am @ home now after a long hard weeks work, with no documentation available, except on the laptop, and that is giving up the ghost.

        Any hints, tips. pointers, URL's, direct experience, even that it can't be done?

        Regards and TIA.


Author: Sherwin Anthony Sequeira

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
To REMOVE yourself from this mailing list, send an E-Mail message
to: (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Sun Jun 11 2000 - 13:37:49 CDT

Original text of this message