Re: Pete Finnigan's Oracle database password checker

From: Andre van Winssen <>
Date: Fri, 10 Oct 2008 12:13:14 +0200
Message-ID: <>

the slow part of the plsql code is the Brute Force attack. That can hardly compete with real password crackers written in C(++). You can reduce the pain of doing a brute force attack by changing the line with
*passlen:=4*; -- need to restrict to 4 so that it takes around 35 secs
*passlen:=2*; -- need to restrict to 2 so that it takes around 1 sec

you can extend the dictionary list with your own words as pointed out by others.

For those not well versed in plsql (not many in this list I'd guess) here's a small explanation of how the plsql code works: from a list of cleartext passwords it generates the hash and compares that with the oracle hash stored in the SYS.USER$ column. If the hash matches then it means you found the clear text password. It's as simple as that. The algorithm for calculating the oracle password hash was been known in the public area for years. But now Pete implemented it in this plsql procedure. That is the added value because now you can easily run the cracker as an oracle database job.
You may also want to change the output it generates. Certain companies won't allow you to publish real passwords. This certainly applies to sox databases. So instead of the password itself you might change the procedure so that it returns the string 'WEAK' or 'BAD' or simliar.

Kind regards,

Received on Fri Oct 10 2008 - 05:13:14 CDT

Original text of this message