DUH! Sometimes I read too fast.....................and often I talk before I
think
>From: Ari D Kaplan <akaplan_at_interaccess.com>
>Reply-To: ORACLE-L_at_fatcity.com
>To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
>Subject: RE: Reverse engineer passwords
>Date: Fri, 14 Jul 2000 17:24:20 -0800
>
>Yes, Oracle uses the username as well as the password to get the
>encryption. This is why I said that someone can write a program to get the
>usernames in the database and go through all dictionary words (as the
>passwords).
>
>So, we are in agreement ;)
>
>-Ari
>
>On Fri, 14 Jul 2000, Rachel Carmichael wrote:
>
> >
> > I believe that Oracle also uses the username as part of the
>encryption...
> >
> > >From: Ari D Kaplan <akaplan_at_interaccess.com>
> > >Reply-To: ORACLE-L_at_fatcity.com
> > >To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
> > >Subject: RE: Reverse engineer passwords
> > >Date: Fri, 14 Jul 2000 15:22:34 -0800
> > >
> > >This is correct - it is impossible to reverse-engineer passwords from
> > >Oracle. So much so that even Oracle Corporation themselves- the people
> > >that made the algorithm - cannot reverse engineer people's passwords.
> > >
> > >Keep in mind that what William said (about forward-encrypting passwords
> > >and comparing the encrypted results) is the reason why you should not
>use
> > >dictionary words or your username (etc.) for your password. Someone can
> > >easily write a program to go through all usernames in the database and
> > >compare them to all dictionary words, forward-encrypting. Then it can
> > >compare the result with the value in the DBA_USERS data dictionary
>view.
> > >This is one way people can "hack" passwords.
> > >
> > >By the way, I discuss some of this, and describe how to login to the
> > >database as another user, in my white paper "A Bag of Tips and Tricks
>for
> > >DBAs and Developers" for free off my page: www.arikaplan.com
> > >
> > >If anyone finds a way to reverse engineer passwords, let me know so I
>can
> > >sell my stock quickly ;)
> > >
> > >-Ari Kaplan
> > >Independent Oracle DBA Consultant
> > >
> > ><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
> > ><-> For 370+ Oracle tips, visit: <->
> > ><-> <->
> > ><-> www.arikaplan.com <->
> > ><-> <->
> > ><-> email: akaplan_at_interaccess.com <->
> > ><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
> > >
> > >
> > >On Fri, 14 Jul 2000, William Beilstein wrote:
> > >
> > > > The passwords are encrypted with a non reversible algorithm. The way
>you
> > >check a password, is to encrypt the entered password and compare it
>against
> > >the stored encrypted password.
> > > >
> > > > >>> Linda Hagedorn <Linda_at_pets.com> 07/14/00 01:16PM >>>
> > > > Hi Vincent,
> > > >
> > > > I have the encrypted password, and I want to reverse engineer it to
>the
> > > > Ebcdic. Do you have the math or routine?
> > > >
> > > > Thanks,
> > > >
> > > > Linda
> > > >
> > > > -----Original Message-----
> > > > Sent: Friday, July 14, 2000 5:45 AM
> > > > To: Multiple recipients of list ORACLE-L
> > > >
> > > >
> > > > hi,
> > > >
> > > > look into dba_users, there y'll find the encrypted password.
> > > >
> > > >
> > > > Vincent
> > > >
> > > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: root_at_fatcity.com [mailto:root_at_fatcity.com]Namens
>Siva_Chintalapati
> > > > Verzonden: vrijdag 14 juli 2000 14:09
> > > > Aan: Multiple recipients of list ORACLE-L
> > > > Onderwerp: RE: Reverse engineer passwords
> > > >
> > > >
> > > >
> > > > Where does this passwords store.What is that file.Will it be in
> > >encrypted
> > > > form??
> > > > Siva
> > > >
> > > > ----------
> > > > Reply To: ORACLE-L_at_fatcity.com
> > > > Sent: Friday, July 14, 2000 4:35 PM
> > > > To: Multiple recipients of list ORACLE-L
> > > >
> > > > Hi,
> > > >
> > > > You can store the encrypted password in a table, change your
> > > > password as you like, test your application, if it fails then you
>know
> > >where
> > > > to look because probably the password will be somewhere in the
> > >application
> > > > or you can put the encrypted pasword back in de original table.
> > > >
> > > > good luck
> > > >
> > > > Vicnent Ruger
> > > > (Oracle DBA)
> > > >
> > > > -----Oorspronkelijk bericht-----
> > > > Van: root_at_fatcity.com [ mailto:root_at_fatcity.com
> > ><mailto:root_at_fatcity.com>
> > > > ]Namens Eric Lansu
> > > > Verzonden: vrijdag 14 juli 2000 12:15
> > > > Aan: Multiple recipients of list ORACLE-L
> > > > Onderwerp: Re: Reverse engineer passwords
> > > >
> > > >
> > > > I hope it's not possible to do this reverse engeneering for it
>would
> > > > mean a
> > > > serious security-problem.
> > > >
> > > > Eric Lansu
> > > >
> > > > ----- Original Message -----
> > > > To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com>
> > > > Sent: Thursday, 13 July 2000 22:17
> > > >
> > > >
> > > > > Some passwords are lost, others are in clear text, others are
> > > > operational
> > > > > (somewhere in production), but not known due to turnover. Rather
>than
> > > > > possibly break running systems by changing passwords, we (dba
>staff)
> > >would
> > > >
> > > > > like to reverse engineer the passwords in dba_users.
> > > > >
> > > > > Has anyone done this, and if so, will you send the key to me?
> > >Referrals
> > > > to
> > > > > documentation are appreciated.
> > > > >
> > > > > Thank you.
> > > > >
> > > > > Linda Hagedorn
> > > > >
> > > > > --
> > > > > Author: Linda Hagedorn
> > > > > INET: Linda_at_pets.com
> > > > >
> > > > > Fat City Network Services -- (858) 538-5051 FAX: (858)
>538-5051
> > > > > San Diego, California -- Public Internet access / Mailing
>Lists
> > > > >
>--------------------------------------------------------------------
> > > > > To REMOVE yourself from this mailing list, send an E-Mail message
> > > > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and
>in
> > > > > the message BODY, include a line containing: UNSUB ORACLE-L
> > > > > (or the name of mailing list you want to be removed from). You
>may
> > > > > also send the HELP command for other information (like
>subscribing).
> > > >
> > > > --
> > > > Author: Eric Lansu
> > > > INET: eric.lansu_at_quicknet.nl
> > > >
> > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > > > San Diego, California -- Public Internet access / Mailing
>Lists
> > > > --------------------------------------------------------------------
> > > > To REMOVE yourself from this mailing list, send an E-Mail message
> > > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > > > the message BODY, include a line containing: UNSUB ORACLE-L
> > > > (or the name of mailing list you want to be removed from). You may
> > > > also send the HELP command for other information (like subscribing).
> > > >
> > > >
> > > > --
> > > > Author: Linda Hagedorn
> > > > INET: Linda_at_pets.com
> > > >
> > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > > > San Diego, California -- Public Internet access / Mailing
>Lists
> > > > --------------------------------------------------------------------
> > > > To REMOVE yourself from this mailing list, send an E-Mail message
> > > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > > > the message BODY, include a line containing: UNSUB ORACLE-L
> > > > (or the name of mailing list you want to be removed from). You may
> > > > also send the HELP command for other information (like subscribing).
> > > > --
> > > > Author: William Beilstein
> > > > INET: BeilstWH_at_obg.com
> > > >
> > > > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > > > San Diego, California -- Public Internet access / Mailing
>Lists
> > > > --------------------------------------------------------------------
> > > > To REMOVE yourself from this mailing list, send an E-Mail message
> > > > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > > > the message BODY, include a line containing: UNSUB ORACLE-L
> > > > (or the name of mailing list you want to be removed from). You may
> > > > also send the HELP command for other information (like subscribing).
> > > >
> > >
> > >--
> > >Author: Ari D Kaplan
> > > INET: akaplan_at_interaccess.com
> > >
> > >Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > >San Diego, California -- Public Internet access / Mailing Lists
> > >--------------------------------------------------------------------
> > >To REMOVE yourself from this mailing list, send an E-Mail message
> > >to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > >the message BODY, include a line containing: UNSUB ORACLE-L
> > >(or the name of mailing list you want to be removed from). You may
> > >also send the HELP command for other information (like subscribing).
> >
> > ________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> >
> > --
> > Author: Rachel Carmichael
> > INET: carmichr_at_hotmail.com
> >
> > Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> > San Diego, California -- Public Internet access / Mailing Lists
> > --------------------------------------------------------------------
> > To REMOVE yourself from this mailing list, send an E-Mail message
> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> > the message BODY, include a line containing: UNSUB ORACLE-L
> > (or the name of mailing list you want to be removed from). You may
> > also send the HELP command for other information (like subscribing).
> >
>
>--
>Author: Ari D Kaplan
> INET: akaplan_at_interaccess.com
>
>Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
>San Diego, California -- Public Internet access / Mailing Lists
>--------------------------------------------------------------------
>To REMOVE yourself from this mailing list, send an E-Mail message
>to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
>the message BODY, include a line containing: UNSUB ORACLE-L
>(or the name of mailing list you want to be removed from). You may
Received on Sat Jul 15 2000 - 13:38:55 CDT
