Re: decrypting password : who knows ?

From: Connor McDonald <mcdonald.connor.cs_at_bhp.com.au>
Date: Fri, 13 Nov 1998 16:25:34 +0800
Message-ID: <364BECFE.F3E@bhp.com.au>

Moogle wrote:
>
> Pete Johnson wrote in message <36497ee0.0_at_145.227.194.253>...
> >
> >BluesMan wrote in message <72ahmp$k4b$1_at_front3.grolier.fr>...
> >>Hi all,
> >>
> >>I am looking for the algorithm used to decrypt Oracle's passwords.
> >>
> >>Thanks !
> >>
> >>gotblues_at_mygale.org
> >>
> >Yea - you and every other hacker out there - Oracle themselves don't know -
> >the rubbish that you see in the Users table is not decryptable.
>
> I've always wondered why they even put that there...

So you can use it of course....

Consider (as a DBA) you want to log on as someone and you don't know their password....

1. get their password from dba_users (say: ABCDEFGHIJK) ie the "gibberish"
2. alter user XXX identified by KNOWN_PASSWORD
3. connect XXX/KNOWN_PASSWORD
4. do my thing
5. alter user XXX identified by values 'ABCDEFGHIJK' (as above)

So you didn't know their password, but you still logged in as them....Voila!

--

---

Connor McDonald
BHP Information Technology
Perth, Western Australia
"The difference between me and a madman is that I am not mad"

• Salvador Dali

Received on Fri Nov 13 1998 - 02:25:34 CST