Re: Passwords in DBA_USERS (Oracle 12c)
Date: Thu, 7 Jul 2016 09:32:56 -0400
Message-ID: <CADo_RaMmO1hTeKfD3DoTZuQKLKU5+sbJ11fwm8mHYMUEs5JQmA_at_mail.gmail.com>
All your points are valid Chris. My absurdity comment is about the Oracle
software allowing someone to log into someone else's account and then reset
the password back to its previous state. This is a gaping security hole
that should be filled. Removing PASSWORD from DICTIONARY access was a step
in the right direction. Those hashes shouldn't be considered unbreakable.
Didn't meant to imply that the Mladen was doing anything wrong.
On Thu, Jul 7, 2016 at 9:16 AM, Chris Taylor <
christopherdtaylor1994_at_gmail.com> wrote:
> Having the password "somewhere" is important so I'm not sure if Andy is
> suggesting it's absurd to have it anywhere in the database or not. But for
> at least one case it's terribly important and that is supporting legacy
> applications.
>
> Sometimes you need to be able to login as an application schema to create
> an object such as a materialized view or database link that is either
> exceptionally difficult or impossible to do UNLESS you are logged in as the
> schema owner.
> The DBA may not have access to the schema password but can preserve the
> password by looking at sys.user$ for the encrypted password, temporarily
> change it, create the object (db link or MV), then change the password back
> without ever affecting the application (or briefly affecting the
> application at least).
>
> Thanks,
> Chris
>
>
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Jul 07 2016 - 15:32:56 CEST