Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Risk of knowing password hash value (Was: OEM permissions)

RE: Risk of knowing password hash value (Was: OEM permissions)

From: Norris, Gregory T [ITS] <gregory.t.norris_at_mail.sprint.com>
Date: Tue, 23 Dec 2003 13:24:26 -0800
Message-ID: <F001.005DAEA6.20031223132426@fatcity.com> 





Ah, you're right... the username is taken into account when the password is hashed.  Quite a few applications have forced usernames, however, so I'm still a bit uneasy.  It's clearly not as bad as I thought, however.



-----Original Message-----


Davey, Alan


Sent: Tuesday, December 23, 2003 2:59 PM
To: Multiple recipients of list ORACLE-L




No.  Two different users with the same password would have different hash
values. 



So you would have to loop through a "dictionary list" for each user within
your local database.  Once you got a match, then you could logon to the
target database with that user/password combo.  





Alan Davey


Senior Analyst/Project Leader


Oracle 9i OCA; 3/4 OCP


w) 973.267.5990 x458


w) 212.295.3458





-----Original Message-----


Sent: Tuesday, December 23, 2003 3:29 PM
To: Multiple recipients of list ORACLE-L




Not really... you could easily compile a list of passwords and their
associated hashes.  Once this is done, it's just a simple matter of matching
the hashes.



-----Original Message-----


Jared Still


Sent: Tuesday, December 23, 2003 1:24 PM
To: Multiple recipients of list ORACLE-L




As long Oracle can manage to keep its modified DES algorithm
secret, this should make it somewhat difficult to crack passwords
in the manner that can be done with unix passwords.



It could still be done, but the time required would make
it just too time consuming IMO.  



Jared




On Tue, 2003-12-23 at 09:44, Stephen.Lee_at_DTAG.Com wrote:


> 

> When I brought the issue up, I didn't know if one could in fact

maliciously


> use that info.  And, as I originally stated, it was something I had not

> tried.  But paranoia (healthy, I think) dictates there's gotta be a way.

> When one looks at the Unix password world which brought about the

necessity


> for a shadow file, and the evils of the old NIS where ypcat was available,

> you have to wonder why allowing access to the encrypted passwords for Unix

> is considered a dumb thing to do, but somehow in Oracle it would be an OK

> thing to do.  I'm inclined to say that Oracle restricted access to the

views


> and underlying tables for reasons more substantial than just to frustrate

> non-privileged users.  And, if I'm not mistaken, the specs on the views

are


> "subject to change without notice".  I have enough to do without trying to

> stay on top of every stinkin' view in Oracle in every stinkin' release and

> how one might use that view in naughty ways.

> 

> For what it's worth, after haggling and fussing, we were able to

compromise


> on this.  We haven't tried to tear each of these apart to see how it might

> be abused.  If any of you have some warnings to provide, please do!

> 

> -- Must run this as SYS

> 

> create role DBARTISAN_USER_ROLE;

> 

> grant SELECT on SYS.V_$PROCESS to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SESSION to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$LATCH to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$LATCHNAME to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$LATCHHOLDER to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$LOCK to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SESSTAT to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$MYSTAT to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SYSSTAT to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$STATNAME to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$ACCESS to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$FILESTAT to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$ROLLNAME to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$ROLLSTAT to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SGA to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$PARAMETER to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$ROWCACHE to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$LIBRARYCACHE to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$INSTANCE to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$DISPATCHER to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SQLAREA to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SQLTEXT to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SQLTEXT_WITH_NEWLINES to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$OPEN_CURSOR to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$PQ_SYSSTAT to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SGASTAT to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SHARED_SERVER to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$DATAFILE to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$TABLESPACE to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.V_$SESS_IO to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.ALL_OBJECTS to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.DBA_ROLLBACK_SEGS to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.PRODUCT_COMPONENT_VERSION to DBARTISAN_USER_ROLE;

> grant SELECT on SYS.DBA_EXTENTS to DBARTISAN_USER_ROLE;

> 

> grant DBARTISAN_USER_ROLE to USER_WE_DONT_LIKE;

> 

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: <Stephen.Lee_at_DTAG.Com

>   INET: Stephen.Lee_at_DTAG.Com

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Norris, Gregory T [ITS]
  INET: gregory.t.norris_at_mail.sprint.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


"This information in this e-mail is intended solely for the addressee and
may contain information which is confidential or privileged.  Access to this
e-mail by anyone else is unauthorized.  If you are not the intended
recipient, or believe that you have received this communication in error,
please do not print, copy, retransmit, disseminate, or otherwise use the
information. Also, please notify the sender that you have received this
e-mail in error, and delete the copy you received."


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Davey, Alan
  INET: Alan.Davey_at_encodasystems.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Norris, Gregory T [ITS]
  INET: gregory.t.norris_at_mail.sprint.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Tue Dec 23 2003 - 15:24:26 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US