Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Funny sort of question re sys password

Re: Funny sort of question re sys password

From: Pete Finnigan <>
Date: Wed, 10 Mar 2004 11:18:03 +0000
Message-ID: <>

Hi Nuno,

Oracle do not make the encryption algorithm public but there is enough info in their own documents to know it is a modified DES encryption algorithm. DES has been cracked so it is possible, i suppose but not practical. Using a password cracker is the only other possibility, there are a couple of free PL/SQL based ones out there that use "alter user" to change the password and compare against the hash in sys.user$. There are links to both on my tools page - these are toys really compared to a real cracker like John the ripper or lopht. If the password is still the default then it is also easy to crack. Brute forcing using a pl/sql based password cracker would be useless unless you (he) were lucky.

I guess he is not talking about breaking the encryption or using a brute force or dictionary attack. he most probably is talking about being able to simply change the password of SYS. There are many many ways that would allow this that i can think of. Most depend on what your current set up is and whether you have blocked these avenues off. There are also issues of password leakage, vulnerabilities...

If you look at my site there are two checklists on there, one is the SANS S.C.O.R.E document which is a big checklist of Oracle security items to look at and the other is the CIS Oracle benchmark which is based very closely on the SANS work.

Your Sun guy is easy though, he is just connecting as root and logging on as "/ as sysdba" - i guess.

kind regards


Pete Finnigan
Web site: - Oracle security audit specialists Book:Oracle security step-by-step Guide - see for details.

Please see the official ORACLE-L FAQ:

To unsubscribe send email to: put 'unsubscribe' in the subject line.

Archives are at FAQ is at
Received on Wed Mar 10 2004 - 05:23:01 CST

Original text of this message