Re: Passwords in DBA_USERS (Oracle 12c)

From: Andrew Kerber <andrew.kerber_at_gmail.com>
Date: Thu, 7 Jul 2016 09:26:58 -0500
Message-ID: <CAJvnOJYUx-597WkN7jxVtk2uBFwqr40VeH_YFP48caKnVBZCcg_at_mail.gmail.com>

Yes. Until programmers learn to include functionality that allows passwords to be changed easily on the mid tier, the DBA or designated security personnel must be able to change a password and take it back to what it was.

On Thu, Jul 7, 2016 at 9:20 AM, Powell, Mark <mark.powell2_at_hpe.com> wrote:

> Andy, I will disagree that it is absurd for Oracle to allow a means for a
> 'privileged' user to be able to change another's users password hash
> because without such a method how would an existing user with their
> existing password be migrated to another database?
>
> ________________________________
> From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> on
> behalf of Andy Klock <andy_at_oracledepot.com>
> Sent: Thursday, July 7, 2016 9:32:56 AM
> To: Chris Taylor
> Cc: dimensional.dba_at_comcast.net; Mladen Gogala; oracle-l
> Subject: Re: Passwords in DBA_USERS (Oracle 12c)
>
> All your points are valid Chris. My absurdity comment is about the Oracle
> software allowing someone to log into someone else's account and then reset
> the password back to its previous state. This is a gaping security hole
> that should be filled. Removing PASSWORD from DICTIONARY access was a step
> in the right direction. Those hashes shouldn't be considered unbreakable.
>
> Didn't meant to imply that the Mladen was doing anything wrong.
>
> On Thu, Jul 7, 2016 at 9:16 AM, Chris Taylor <
> christopherdtaylor1994_at_gmail.com<mailto:christopherdtaylor1994_at_gmail.com>>
> wrote:
> Having the password "somewhere" is important so I'm not sure if Andy is
> suggesting it's absurd to have it anywhere in the database or not. But for
> at least one case it's terribly important and that is supporting legacy
> applications.
>
> Sometimes you need to be able to login as an application schema to create
> an object such as a materialized view or database link that is either
> exceptionally difficult or impossible to do UNLESS you are logged in as the
> schema owner.
> The DBA may not have access to the schema password but can preserve the
> password by looking at sys.user$ for the encrypted password, temporarily
> change it, create the object (db link or MV), then change the password back
> without ever affecting the application (or briefly affecting the
> application at least).
>
> Thanks,
> Chris
>
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Andrew W. Kerber

'If at first you dont succeed, dont take up skydiving.'

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jul 07 2016 - 16:26:58 CEST

This message: [ Message body ]
Next message: Chris Taylor: "Re: Passwords in DBA_USERS (Oracle 12c)"
Previous message: Mladen Gogala: "Re: Passwords in DBA_USERS (Oracle 12c)"
Maybe in reply to: Ricardo Arnoud: "Re: Passwords in DBA_USERS (Oracle 12c)"
In reply to Andy Klock: "Re: Passwords in DBA_USERS (Oracle 12c)"
Next in thread: Hans Forbrich: "Re: Passwords in DBA_USERS (Oracle 12c)"
Reply: Hans Forbrich: "Re: Passwords in DBA_USERS (Oracle 12c)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message