RE: ORA_ENCRYPT_LOGIN

Hmm...after trying to verify password being passed as plain text, I went back to
do some research on metalink, and it looks like encryption of passwords is done
by default in 8.1.5 (Net8) and higher. Only confusion now is whether I need to
set ORA_ENCRYPT_LOGIN = TRUE only in sqlnet.ora on the client or also in the

NT registry. Guess I'll go look through the docs on this and I'll send an update
if I find a definitive answer. Thanks for the replies.

-----Original Message-----
Sent: Thursday, May 23, 2002 12:33 AM
To: Multiple recipients of list ORACLE-L

could not say about the net8, but in oracle 7 clients, if the initial login fails, the client will do the *next*
login attempt using *plain text* as password !!! but if this param is set to TRUE, all the attempts are
done using an encrypted password.

set ORA_ENCRYPT_LOGIN = TRUE , in the correct ORACLE_HOME using regedit (if on windows)
turn the tracing level to 16, try to connect and see the trace file, u wud see the userid in plain text but thepassword will be encrypted...

> ----------
> From: MacGregor, Ian A.[SMTP:ian_at_SLAC.Stanford.EDU]
> Reply To: ORACLE-L_at_fatcity.com
> Sent: Thursday, May 23, 2002 2:52 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
> If you want to be absolutely sure the password is being encrypted, you'll
> need to place a sniffer on the network. Work with your network guys and
> whoever else needs to be involved. In most company's using an
> unauthorized sniffer will result in dismissal.
>
> Let me reinterate what I stated. SQL*NET encrypts passwords even if the
> ORA_ENCRYPT_LOGIN parameter is not set to TRUE I wouldn't label it strong
> encryption. If you really need that there is the Advanced Security
> Option.
>
> I'm not 100% sure when the passwrod is sent in the clear. It is never
> sent plain text when the ORA_ENCRYPT_L0gin parameter is set to TRUE. I
> believe it will be sent in the clear if the Oracle server side of SQL*NET
> is incapable of handling encrypted passwords and ORA_ENCRYPT_LOGIN is
> set to false. ( I cannot , off the top of my head, remember if the
> parameter takes YES/NO or TRUE/FALSE).
>
> The first thing I would do is ensure ORA_ENCRYPT_LOGIN is true for all
> clients.
>
> Ian MacGregor
> Stanford Linear Accelerator Center
> ian_at_SLAC.Stanford.edu
>
>
>
> -----Original Message-----
> From: Richard Huntley [mailto:rhuntley_at_mindleaders.com]
> Sent: Wednesday, May 22, 2002 9:59 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
>
> That's exactly what I want to stop, passwords being sent in the
> clear. However, I'm not able to verify it's working so far. I've turned
> on tracing, as recommended in another reply on this topic, did a login
> before enabling then after enabling this parameter and the differences are
> very minor and I'm seeing nothing that specifically points
> to this parameter being used other than output saying the parameter
> is detected. How are you all having developers connect to the production
> box via SQL*Plus client on developer workstations, so that the password is
> not sent in the clear?
>
> -----Original Message-----
> From: MacGregor, Ian A. [mailto:ian_at_SLAC.Stanford.EDU]
> Sent: Tuesday, May 21, 2002 8:18 PM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
>
> Even without this parameter being set the password is encrypted.
> What the parameter does is stop the password from being sent in the clear
> if logging in with the encrypted password fails. I believe the
> encryption is a 54-bit variant of DES. It is very rare that someone
> improves DES by fiddling with it. It also always encrypts to the same
> value and provides no protection against replay attacks.
>
> Ian MacGregor
> Stanford Linear Accelerator Center
> ian_at_SLAC.Stanford.edu
>
> -----Original Message-----
> From: Richard Huntley [mailto:rhuntley_at_mindleaders.com]
> Sent: Tuesday, May 21, 2002 9:34 AM
> To: Multiple recipients of list ORACLE-L
> Subject: ORA_ENCRYPT_LOGIN
>
>
> Anyone using this and if so, do you know of a way to verify
> that the password is actually being encrypted?
>
> Thanks.
>
>

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Rahul
  INET: rahul_at_ratelindo.co.id

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Richard Huntley
  INET: rhuntley_at_mindleaders.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).