Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Listener password encryption

RE: Listener password encryption

From: Johnson, George <GJohnson_at_GAM.COM>
Date: Fri, 17 Feb 2006 09:34:02 -0000
Message-ID: <>

	Ah yes the wonderful encrypted password. The hashed string is stored in the listener.ora file, so if you forget the listener password you can simply copy and paste the hashed string that was generated, back into the set password prompt to get in. So now you must not only protect the password but also the listner.ora files must now not fall in the evil ones hands! Why couldn't it be written to a binary password file like the DB has? 
	We had to implement it, as the previous poster said, to satisfy the auditors. I won't start a rant on the subject, suffice to say they usually simply glance over the software security guides without understanding the underlying concepts and pitfalls!

-----Original Message-----
From: [] On Behalf Of Greg Norris Sent: 16 Feb 2006 19:03
Subject: Re: Listener password encryption

I wouldn't even bother using an encrypted password, unless of course this is being done to satisfy some (clueless) auditor's checklist. The way Oracle handles encrypted listener passwords, they're absolutely no more secure than the cleartext counterpart... in fact, one could easily argue that they're slightly *less* secure.

On 2/16/06, J. Dex <> wrote:
> I am trying to save an encrypted password for the listener and
> although it responds that the command was completed successsfully, it
> isn't turning on security and doesn't seem to be working. Any ideas?
> This is Oracle 9207 on a Windows 2003 server. This is what I am
> doing:
> LSNRCTL>set save_config_on_stop on
> LSNRCTL>set password password_name
> My understanding is that security in "status" should be set to on and
> I should see some comments at the bottom of the listener file, but I
> am not seeing those.

"I'm too sexy for my code." - Awk Sed Fred.

This message contains confidential information and is intended only 
for the individual or entity named.  If you are not the named addressee
you should not disseminate, distribute or copy this e-mail.  
Please notify the sender immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of this 
message which arise as a result of e-mail transmission.  
If verification is required please request a hard-copy version.
This message is provided for informational purposes and should not
be construed as an invitation or offer to buy or sell any securities or
related financial instruments.
GAM operates in many jurisdictions and is 
regulated or licensed in those jurisdictions as required.

Received on Fri Feb 17 2006 - 03:34:02 CST

Original text of this message