Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: password

RE: password

From: Jesse, Rich <Rich.Jesse_at_qtiworld.com>
Date: Tue, 17 Dec 2002 13:30:48 -0800
Message-ID: <F001.0051BF46.20021217133048@fatcity.com> 





Well, that's the default password.  Is the *hash* the same, though?



Someone had mentioned that they thought it was DB-dependant.  That can't be,
since I can copy a DB, change the name, and fire it up without changing the
password.



Rich



Rich Jesse                           System/Database Administrator
Rich.Jesse_at_qtiworld.com              Quad/Tech International, Sussex, WI USA






> -----Original Message-----

> From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com]

> Sent: Tuesday, December 17, 2002 3:01 PM

> To: ORACLE-L_at_fatcity.com

> Cc: Jesse, Rich

> Subject: RE: password

> 

> 

> > Does "CHANGE_ON_INSTALL" have the same hash value for every

> > version and every instance?

> 

> Yes, it does.

> 

> Check:  http://www.pentest-limited.com/default-user.htm

> 

> This is a pentest list of default Oracle passwords.

> 

> I've used this to create a perl script that checks for 

> default passwords.

> 

> It doesn't matter which version of Oracle.

> 

> Jared

> 

> 

> 

> 

> 

> 

> 

> "Jesse, Rich" <Rich.Jesse_at_qtiworld.com>

> Sent by: root_at_fatcity.com

>  12/17/2002 11:03 AM

>  Please respond to ORACLE-L

> 

>  

>         To:     Multiple recipients of list ORACLE-L 

> <ORACLE-L_at_fatcity.com>

>         cc: 

>         Subject:        RE: password

> 

> 

> Interesting.  Does "CHANGE_ON_INSTALL" have the same hash 

> value for every

> version and every instance?

> 

> Not being much of a hacker (anymore) I would think that with only one

> algorithm and several known passwords (you can generate them 

> yourself), 

> this

> wouldn't be much of a challenge to real hackers.  Hell, the client 

> encrypts

> it to send to the server, right?  That code could be reverse 

> engineered,

> too.  BTW, VMS has many algorithms in play to help prevent 

> such an attack 

> on

> it's passwords.  <plug plug>

> 

> Oh to have the spare time of a 15-year old again...  :)

> 

> Rich

> 

> 

> Rich Jesse                           System/Database Administrator

> Rich.Jesse_at_qtiworld.com              Quad/Tech International, 

> Sussex, WI 

> USA



-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jesse, Rich
  INET: Rich.Jesse_at_qtiworld.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Tue Dec 17 2002 - 15:30:48 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US