Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Reverse engineer passwords

RE: Reverse engineer passwords

From: Rachel Carmichael <carmichr_at_hotmail.com>
Date: Fri, 14 Jul 2000 23:42:47 GMT
Message-Id: <10558.112120@fatcity.com>


I believe that Oracle also uses the username as part of the encryption...

>From: Ari D Kaplan <akaplan_at_interaccess.com>
>Reply-To: ORACLE-L_at_fatcity.com
>To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
>Subject: RE: Reverse engineer passwords
>Date: Fri, 14 Jul 2000 15:22:34 -0800
>
>This is correct - it is impossible to reverse-engineer passwords from
>Oracle. So much so that even Oracle Corporation themselves- the people
>that made the algorithm - cannot reverse engineer people's passwords.
>
>Keep in mind that what William said (about forward-encrypting passwords
>and comparing the encrypted results) is the reason why you should not use
>dictionary words or your username (etc.) for your password. Someone can
>easily write a program to go through all usernames in the database and
>compare them to all dictionary words, forward-encrypting. Then it can
>compare the result with the value in the DBA_USERS data dictionary view.
>This is one way people can "hack" passwords.
>
>By the way, I discuss some of this, and describe how to login to the
>database as another user, in my white paper "A Bag of Tips and Tricks for
>DBAs and Developers" for free off my page: www.arikaplan.com
>
>If anyone finds a way to reverse engineer passwords, let me know so I can
>sell my stock quickly ;)
>
>-Ari Kaplan
>Independent Oracle DBA Consultant
>
><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
><-> For 370+ Oracle tips, visit: <->
><-> <->
><-> www.arikaplan.com <->
><-> <->
><-> email: akaplan_at_interaccess.com <->
><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
>
>
>On Fri, 14 Jul 2000, William Beilstein wrote:
>
> > The passwords are encrypted with a non reversible algorithm. The way you
>check a password, is to encrypt the entered password and compare it against
>the stored encrypted password.
> >
> > >>> Linda Hagedorn <Linda_at_pets.com> 07/14/00 01:16PM >>>
> > Hi Vincent,
> >
> > I have the encrypted password, and I want to reverse engineer it to the
> > Ebcdic. Do you have the math or routine?
> >
> > Thanks,
> >
> > Linda
> >
> > -----Original Message-----
> > Sent: Friday, July 14, 2000 5:45 AM
> > To: Multiple recipients of list ORACLE-L
> >
> >
> > hi,
> >
> > look into dba_users, there y'll find the encrypted password.
> >
> >
> > Vincent
> >
> >
> > -----Oorspronkelijk bericht-----
> > Van: root_at_fatcity.com [mailto:root_at_fatcity.com]Namens Siva_Chintalapati
> > Verzonden: vrijdag 14 juli 2000 14:09
> > Aan: Multiple recipients of list ORACLE-L
> > Onderwerp: RE: Reverse engineer passwords
> >
> >
> >
> > Where does this passwords store.What is that file.Will it be in
>encrypted
> > form??
> > Siva
> >
> > ----------
> > Reply To: ORACLE-L_at_fatcity.com
> > Sent: Friday, July 14, 2000 4:35 PM
> > To: Multiple recipients of list ORACLE-L
> >
> > Hi,
> >
> > You can store the encrypted password in a table, change your
> > password as you like, test your application, if it fails then you know
>where
> > to look because probably the password will be somewhere in the
>application
> > or you can put the encrypted pasword back in de original table.
> >
> > good luck
> >
> > Vicnent Ruger
> > (Oracle DBA)
> >
> > -----Oorspronkelijk bericht-----
> > Van: root_at_fatcity.com [ mailto:root_at_fatcity.com
><mailto:root_at_fatcity.com>
> > ]Namens Eric Lansu
> > Verzonden: vrijdag 14 juli 2000 12:15
> > Aan: Multiple recipients of list ORACLE-L
> > Onderwerp: Re: Reverse engineer passwords
> >
> >
> > I hope it's not possible to do this reverse engeneering for it would
> > mean a
> > serious security-problem.
> >
> > Eric Lansu
> >
> > ----- Original Message -----
> > To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>
> > Sent: Thursday, 13 July 2000 22:17
> >
> >
> > > Some passwords are lost, others are in clear text, others are
> > operational
> > > (somewhere in production), but not known due to turnover. Rather than
> > > possibly break running systems by changing passwords, we (dba staff)
>would
> >
> > > like to reverse engineer the passwords in dba_users.
> > >
> > > Has anyone done this, and if so, will you send the key to me?
>Referrals
> > to
> > > documentation are appreciated.
> > >
> > > Thank you.
> > >
> > > Linda Hagedorn
> > >
> > > --
> > > Author: Linda Hagedorn
> > > INET: Linda_at_pets.com
> > >
> > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > > San Diego, California -- Public Internet access / Mailing Lists
> > > --------------------------------------------------------------------
> > > To REMOVE yourself from this mailing list, send an E-Mail message
> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > > the message BODY, include a line containing: UNSUB ORACLE-L
> > > (or the name of mailing list you want to be removed from). You may
> > > also send the HELP command for other information (like subscribing).
> >
> > --
> > Author: Eric Lansu
> > INET: eric.lansu_at_quicknet.nl
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> >
> >
> > --
> > Author: Linda Hagedorn
> > INET: Linda_at_pets.com
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> > --
> > Author: William Beilstein
> > INET: BeilstWH_at_obg.com
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> >
>
>--
>Author: Ari D Kaplan
> INET: akaplan_at_interaccess.com
>
>Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
>San Diego, California -- Public Internet access / Mailing Lists
>--------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
>also send the HELP command for other information (like subscribing).
Received on Fri Jul 14 2000 - 18:42:47 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US