Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: passwords case sensitive

Re: passwords case sensitive

From: Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk>
Date: Sun, 19 Oct 2003 01:35:58 -0800
Message-ID: <F001.005D39B0.20031019013558@fatcity.com>


>
>You could use it to enforce all lowercase, or init caps.
>
>Jared

Hi Jared,

You could do as you suggest and enforce all to lowercase or initcaps but what is the point?, Oracle is not case sensitive for passwords even when the password is set using quotes. See for example:

SQL> connect system/manager_at_zulia
Connected.
SQL> -- create a user no quotes lower case SQL> create user jared identified by jared;

User created.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- change the password, no quotes upper case SQL> alter user jared identified by JARED;

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- change the password, no quotes initcap SQL> alter user jared identified by Jared;

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- try now with quotes, upper case
SQL> alter user jared identified by "JARED";

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- with quotes, lower case
SQL> alter user jared identified by "jared";

User altered.

SQL> select password from dba_users where username ='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- with quotes initcap
SQL> alter user jared identified by "Jared";

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 As yu can no doubt see the hash is the same no matter what case is used and also even if the password is encased in quotes. This seems to defy the logic of using quotes as doing so allows the use of any character such as:

SQL> alter user jared identified by "£$%^";

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



8248DF340D98455E

SQL> connect jared/"£$%^"@zulia
ERROR:
ORA-01045: user JARED lacks CREATE SESSION privilege; logon denied

Warning: You are no longer connected to ORACLE. SQL> connect system/manager_at_zulia
Connected.
SQL> grant create session to jared;

Grant succeeded.

SQL> connect jared/"£$%^"@zulia
Connected.
SQL> why then if it allows the whole character set including control characters does it change make ASCII letters case insensitive?

Anyway the point is from above the original OP cannot force a password to be case sensitive as Oracle does not recognise case for passwords.

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Pete Finnigan
  INET: oracle_list_at_peterfinnigan.demon.co.uk

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Sun Oct 19 2003 - 04:35:58 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US