RE: Question re inserting hashed strings (I think)

From: Bobak, Mark <Mark.Bobak_at_proquest.com>
Date: Fri, 24 Apr 2009 18:35:13 -0400
Message-ID: <6AFC12B9BFCDEA45B7274C534738067F164410AC_at_AAPQMAILBX02V.proque.st>



Hi Bill,

If you suspect non-printable characters, try: select dump(hashed_value) from table;

You'll the length of the string and the value of each character, including non-printable characters.

-Mark



From: oracle-l-bounce_at_freelists.org [oracle-l-bounce_at_freelists.org] On Behalf Of William Wagman [wjwagman_at_ucdavis.edu] Sent: Friday, April 24, 2009 18:02
To: Jared Still
Cc: Oracle-L Freelists
Subject: RE: Question re inserting hashed strings (I think)

Hi Jared,

Moving things won’t cause the app to break, it is merely necessary to change a password from within the application when the users password is changed at the database level as the user’s password (only the application manager account by the way) it must also be changed through the application. That is known. So for example if I do the following…

SQL> alter user <user-in-question> identified by newpassword;

Then I must also go into the management section of the application and change the password there as well. This password string is then hashed (I’m pretty sure) and then stored in the password field in the aforementioned table. I can see the string if I select the password field from that table but I can’t stuff it back into the column successfully. I have found the code which is updating that field, it does something like…

Update <table> set password = :some-bind-variable;

Where the bind variable has already been hashed. I know what the string looks like, I see it when I do a select, but I suspect the string contains non-printing characters which is why I can’t get it.

I’m probably not doing a very good job of explaining this but if you have any further thoughts I’d appreciate hearing them.

Thanks.

Bill Wagman
Univ. of California at Davis
IET Campus Data Center
wjwagman_at_ucdavis.edu
(530) 754-6208
From: Jared Still [mailto:jkstill_at_gmail.com] Sent: Friday, April 24, 2009 2:49 PM
To: William Wagman
Cc: Oracle-L Freelists
Subject: Re: Question re inserting hashed strings (I think)

On Fri, Apr 24, 2009 at 11:48 AM, William Wagman <wjwagman_at_ucdavis.edu<mailto:wjwagman_at_ucdavis.edu>> wrote: The update is accepted but it is apparently not the correct string as users are unable to connect and I must then go in through the application and update the password. I don't know how the application hashes the password.

Do you have any idea what function is being used to generate the hash?

Could be an environmentally dependent value is being used as part of the string to generate the hash.

If so, it might be a good idea to ask them to rethink that process, as moving the database to a new server ( or some dependency - IP? ) causes the app to break.

Jared Still
Certifiable Oracle DBA and Part Time Perl Evangelist

--

http://www.freelists.org/webpage/oracle-l Received on Fri Apr 24 2009 - 17:35:13 CDT

Original text of this message