Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Encrypted Fields

Re: Encrypted Fields

From: Andy Finkenstadt <kahuna_at_panix.com>
Date: Fri, 31 Jan 2003 18:24:35 +0000 (UTC)
Message-ID: <b1ef13$658$2@reader1.panix.com>


In <u0k_9.105$eR.16832833_at_newssvr15.news.prodigy.com> Karsten Farrell <kfarrell_at_belgariad.com> writes:
>Also seed with the hostname so they can't load it on their PC at home
>and let it crank away with a password cracking program. Oracle doesn't
>do this, however.

By the time you can do an alter user USR identified by values 'HASH', you pretty much already have enough access to the oracle database to not worry about this.

The reason why Oracle doesn't include machine name (or instance) in their hash of the password is very simple: how else do you do a full database import onto a replacement machine, and still retain previously supplied passwords?

andy

-- 
Andrew Finkenstadt (http://www.finkenstadt.com/andy/)
Received on Fri Jan 31 2003 - 12:24:35 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US