Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Reverse engineer passwords

RE: Reverse engineer passwords

From: Ari D Kaplan <akaplan_at_interaccess.com>
Date: Fri, 14 Jul 2000 19:15:39 -0500 (CDT)
Message-Id: <10558.112123@fatcity.com> 





Yes, Oracle uses the username as well as the password to get the
encryption. This is why I said that someone can write a program to get the
usernames in the database and go through all dictionary words (as the
passwords).



So, we are in agreement ;)



-Ari



On Fri, 14 Jul 2000, Rachel Carmichael wrote:



> 

> I believe that Oracle also uses the username as part of the encryption...

> 

> >From: Ari D Kaplan <akaplan_at_interaccess.com>

> >Reply-To: ORACLE-L_at_fatcity.com

> >To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>

> >Subject: RE: Reverse engineer passwords

> >Date: Fri, 14 Jul 2000 15:22:34 -0800

> >

> >This is correct - it is impossible to reverse-engineer passwords from

> >Oracle. So much so that even Oracle Corporation themselves- the people

> >that made the algorithm - cannot reverse engineer people's passwords.

> >

> >Keep in mind that what William said (about forward-encrypting passwords

> >and comparing the encrypted results) is the reason why you should not use

> >dictionary words or your username (etc.) for your password. Someone can

> >easily write a program to go through all usernames in the database and

> >compare them to all dictionary words, forward-encrypting. Then it can

> >compare the result with the value in the DBA_USERS data dictionary view.

> >This is one way people can "hack" passwords.

> >

> >By the way, I discuss some of this, and describe how to login to the

> >database as another user, in my white paper "A Bag of Tips and Tricks for

> >DBAs and Developers" for free off my page: www.arikaplan.com

> >

> >If anyone finds a way to reverse engineer passwords, let me know so I can

> >sell my stock quickly ;)

> >

> >-Ari Kaplan

> >Independent Oracle DBA Consultant

> >

> ><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

> ><-> For 370+ Oracle tips, visit:                         <->

> ><->                                                      <->

> ><->             www.arikaplan.com                        <->

> ><->                                                      <->

> ><->             email: akaplan_at_interaccess.com           <->

> ><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->

> >

> >

> >On Fri, 14 Jul 2000, William Beilstein wrote:

> >

> > > The passwords are encrypted with a non reversible algorithm. The way you 

> >check a password, is to encrypt the entered password and compare it against 

> >the stored encrypted password.

> > >

> > > >>> Linda Hagedorn <Linda_at_pets.com> 07/14/00 01:16PM >>>

> > > Hi Vincent,

> > >

> > > I have the encrypted password, and I want to reverse engineer it to the

> > > Ebcdic.  Do you have the math or routine?

> > >

> > > Thanks,

> > >

> > > Linda

> > >

> > > -----Original Message-----

> > > Sent: Friday, July 14, 2000 5:45 AM

> > > To: Multiple recipients of list ORACLE-L

> > >

> > >

> > > hi,

> > >

> > > look into dba_users, there y'll find the encrypted password.

> > >

> > >

> > > Vincent

> > >

> > >

> > > -----Oorspronkelijk bericht-----

> > > Van: root_at_fatcity.com [mailto:root_at_fatcity.com]Namens Siva_Chintalapati

> > > Verzonden: vrijdag 14 juli 2000 14:09

> > > Aan: Multiple recipients of list ORACLE-L

> > > Onderwerp: RE: Reverse engineer passwords

> > >

> > >

> > >

> > > Where does this passwords store.What is that file.Will it be in 

> >encrypted

> > > form??

> > > Siva

> > >

> > > 	----------

> > > Reply To:       ORACLE-L_at_fatcity.com

> > > Sent:   Friday, July 14, 2000 4:35 PM

> > > To:     Multiple recipients of list ORACLE-L

> > >

> > > 	Hi,

> > >

> > > 	You can store the encrypted password in a table, change your

> > > password as you like, test your application, if it fails then you know 

> >where

> > > to look because probably the password will be somewhere in the 

> >application

> > > or you can put the encrypted pasword back in de original table.

> > >

> > > 	good luck

> > >

> > > 	Vicnent Ruger

> > > (Oracle DBA)

> > >

> > > 	-----Oorspronkelijk bericht-----

> > > Van: root_at_fatcity.com [ mailto:root_at_fatcity.com 

> ><mailto:root_at_fatcity.com>

> > > ]Namens Eric Lansu

> > > Verzonden: vrijdag 14 juli 2000 12:15

> > > Aan: Multiple recipients of list ORACLE-L

> > > Onderwerp: Re: Reverse engineer passwords

> > >

> > >

> > > 	I hope it's not possible to do this reverse engeneering for it would

> > > mean a

> > > serious security-problem.

> > >

> > > 	Eric Lansu

> > >

> > > 	----- Original Message -----

> > > To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>

> > > Sent: Thursday, 13 July 2000 22:17

> > >

> > >

> > > 	> Some passwords are lost, others are in clear text, others are

> > > operational

> > > > (somewhere in production), but not known due to turnover.  Rather than

> > > > possibly break running systems by changing passwords, we (dba staff) 

> >would

> > >

> > > > like to reverse engineer the passwords in dba_users.

> > > >

> > > > Has anyone done this, and if so, will you send the key to me?  

> >Referrals

> > > to

> > > > documentation are appreciated.

> > > >

> > > > Thank you.

> > > >

> > > > Linda Hagedorn

> > > >

> > > > --

> > > > Author: Linda Hagedorn

> > > >   INET: Linda_at_pets.com

> > > >

> > > > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > > > San Diego, California        -- Public Internet access / Mailing Lists

> > > > --------------------------------------------------------------------

> > > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > > (or the name of mailing list you want to be removed from).  You may

> > > > also send the HELP command for other information (like subscribing).

> > >

> > > 	--

> > > Author: Eric Lansu

> > >   INET: eric.lansu_at_quicknet.nl

> > >

> > > 	Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > > San Diego, California        -- Public Internet access / Mailing Lists

> > > --------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed from).  You may

> > > also send the HELP command for other information (like subscribing).

> > >

> > >

> > > --

> > > Author: Linda Hagedorn

> > >   INET: Linda_at_pets.com

> > >

> > > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > > San Diego, California        -- Public Internet access / Mailing Lists

> > > --------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed from).  You may

> > > also send the HELP command for other information (like subscribing).

> > > --

> > > Author: William Beilstein

> > >   INET: BeilstWH_at_obg.com

> > >

> > > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> > > San Diego, California        -- Public Internet access / Mailing Lists

> > > --------------------------------------------------------------------

> > > To REMOVE yourself from this mailing list, send an E-Mail message

> > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> > > the message BODY, include a line containing: UNSUB ORACLE-L

> > > (or the name of mailing list you want to be removed from).  You may

> > > also send the HELP command for other information (like subscribing).

> > >

> >

> >--

> >Author: Ari D Kaplan

> >   INET: akaplan_at_interaccess.com

> >

> >Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> >San Diego, California        -- Public Internet access / Mailing Lists

> >--------------------------------------------------------------------

> >To REMOVE yourself from this mailing list, send an E-Mail message

> >to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> >the message BODY, include a line containing: UNSUB ORACLE-L

> >(or the name of mailing list you want to be removed from).  You may

> >also send the HELP command for other information (like subscribing).

> 

> ________________________________________________________________________

> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

> 

> -- 

> Author: Rachel Carmichael

>   INET: carmichr_at_hotmail.com

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

Received on Fri Jul 14 2000 - 19:15:39 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US