Re: converting oracle passwords

Which part of what you wrote gives access to unencrypted copies of passwords?

Daniel Morgan

Jerry Metz wrote:

> Actually, this is not true. The following SQLPlus script can be run from
> the SYSTEM user. It will not allow you to do all of the passwords in one
> crack, but if you're a DBA and your intent is pure, I'm sure that you'll
> think of something.
>
> set verify off
> set echo off
> set feedback off
> set termout off
> set pause off
> connect /
> column op noprint new_value old_pw
> select password op from dba_users
> where username = upper('&1')
> /
> alter user &1 identified by temppw;
> connect &1/temppw
> grant connect to &1 identified by values '&&old_pw';
> set termout on
> show user
> set feedback on
>
> damorgan wrote:
>
> > It is impossible.
> >
> > Were it possible there would be no security in an Oracle database.
> >
> > And, quite frankly, there are only two reasons I can conceive of for
> > wanting unencrypted passwords belonging to other users. One is a lack of
> > experience so profound that you don't understand the Oracle security
> > model. The other that you are trying to hack the system.
> >
> > Daniel Morgan
> >
> > John wrote:
> >
> > > I have a system that used oracle users for logins. The passwords are
> > > of course encrypted. Our new system uses it's own table for
> > > validation of logins. I need to copy over the usernames and passwords
> > > from the dba_users table, into a seperate table, and have the
> > > passwords be unencrypted so it can read them. Is there an easy way to
> > > do this? Thanks.
> > >
> > > JR
Received on Wed Apr 03 2002 - 10:10:50 CST