Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Funny sort of question re sys password

Re: Funny sort of question re sys password

From: Nuno Souto <>
Date: Wed, 10 Mar 2004 23:28:09 +1100
Message-ID: <015901c4069c$31e088c0$9b00a8c0@dcs001>

> - these are toys really compared to a real cracker like John the ripper
> or lopht.

Ah yes: I'm quite familiar with the second one. Used it to "harden" my bank account passwords. It can't crack them now and I can still (barely!) remember them.

> I guess he is not talking about breaking the encryption or using a brute
> force or dictionary attack. he most probably is talking about being able
> to simply change the password of SYS. There are many many ways that
> would allow this that i can think of. Most depend on what your current
> set up is and whether you have blocked these avenues off. There are also
> issues of password leakage, vulnerabilities...

I'd class most of those under the umbrella of "social engineering": indirect aquisition of knowledge through exploitation of other weaknesses in security. But yes, it is possible that way.

> If you look at my site there are

Ta, I'll definitely look this up.

> Your Sun guy is easy though, he is just connecting as root and logging
> on as "/ as sysdba" - i guess.

This doesn't count: it assumes root password knowledge which would break ALL security in the system, not just Oracle's. Also, logging in as the install user would achieve the same. Or any user authorised to dba group, I suppose. But all that assumes a breakdown in other than Oracle's security to start with. That is not an Oracle inherent security problem.

I was more concerned with obvious security breaches such as unencrypted passwords ending up in log files or file headers, or unencrypted comms eaves-dropping. Guess those are not that easy with 9i, they used to be the order of the day with earlier versions.

Anyone knows of any other ways?
Nuno Souto
in sunny Sydney, Australia

Please see the official ORACLE-L FAQ:

To unsubscribe send email to: put 'unsubscribe' in the subject line.
Archives are at
FAQ is at
Received on Wed Mar 10 2004 - 06:32:16 CST

Original text of this message