Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Risk of knowing password hash value (Was: OEM permissions)

Re: Risk of knowing password hash value (Was: OEM permissions)

From: Jared Still <jkstill_at_cybcon.com>
Date: Mon, 22 Dec 2003 21:49:25 -0800
Message-ID: <F001.005DAAAB.20031222214925@fatcity.com> 





On RH 8.0 Oracle 9.2.0.4: F894844C34402B67



It is required that a password for a particular users always
hashes to the same value, regardless of platform or Oracle version. 



This has been true for as long as I have used oracle: since 7.0.13.



If not, export/import would not be able to recreate users, and
database links without a password would not work.



Good reason to protect DBA_USERS, no?



Jared





On Mon, 2003-12-22 at 20:44, Michael Thomas wrote:


> Hi,

> 

> Okay. I'm almost a believer of this as a problem. How

> about 9.2.0.4 on RH9.3.

> 

> 1) What does anyone/everyone get for my this query (my

> results shown):

> 

> connect system/blah_at_blah;

> alter user scott identified by tiger;

> --

> select password

> from dba_users

> where username = 'SCOTT';

> 

> PASSWORD


> ----------------

> F894844C34402B67

> 

> 2) If you all get the same, then I'm concerned.

> 

> Regards,

> 

> Mike Thomas

> 

> --- Yong Huang <yong321_at_yahoo.com> wrote:

> > Jared,

> > 

> > I see you log out and log back in as SYSTEM to DB2.

> > But how do you know the

> > password for SYSTEM to log back in with after you

> > change it?

> > 

> > What if you don't log out? When I tried that (i.e.

> > not logging out), I got

> > ORA-1017.


> > 

> > Yong Huang

> > 

> > --- Jared Still <jkstill_at_cybcon.com> wrote:

> > > Environment:

> > > 

> > > DB1: RH 8.0 with Oracle EE 9.2.0.4

> > > 

> > > DB2: Win2k SP3 with Oracle EE 9.2.0.1

> > > 

> > > SYSTEM user on each database initially have

> > different passwords.

> > > 

> 

> 

> __________________________________

> Do you Yahoo!?

> Protect your identity with Yahoo! Mail AddressGuard

> http://antispam.yahoo.com/whatsnewfree

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: Michael Thomas

>   INET: mhthomas_at_yahoo.com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Mon Dec 22 2003 - 23:49:25 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US