Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle password strength

Re: Oracle password strength

From: Thomas Kyte <tkyte_at_us.oracle.com>
Date: Sat, 27 Feb 1999 02:34:09 GMT
Message-ID: <36db5875.4192348@192.86.155.100> 





A copy of this was sent to cn_at_127.0.0.1 ( )
(if that email address didn't require changing)
On 27 Feb 1999 01:42:50 GMT, you wrote:



>Greetings all....


>


>I have a bunch of users who use extremely insecure passwords which violate


>the obvious password no-no's (easy dictionary guess etc).  I would like to


>"check" the passwords of my oracle users.  


>


>(1) does anyone know the algorithm which Oracle uses to encrypt passwords?


>I see that they are stored in DBA_USERS, but it doesn't seem to be DES...


>Does a password auditing program for "vanilla" Oracle authentication


>and/or Oracle applications exist which will run a dictionary attack?


>





its not encrypted -- its digested (one way hash).  you cannot reverse the
passwords in the database.



you can develop a crack like program though to probe the userids.  there is 3'rd
party software that does this (braintree sql secure for example).  You could do
it by creating another empty database and creating the users in it and putting
the contents of your dba_users table into another table (eg: in the new
database, issue "create table user_passwords as select username, password from
dba_users_at_the_real_database").



Now, you can alter each user with 'easy' passwords, comparing the digest created
for them against the digest you selected over from the other database.  if they
match -- you know the password.



again, 3'rd party software does this (you can buy this)



>(2) Is it possible to test the strength of a user's password when they


>change it?  I must test the strength of passwords in both "vanilla" Oracle


>(ie. alter user <x> identified by <y>) and that in Oracle financials.  I


>assume that I can write a trigger in Financials to intercept poor


>passwords.  Is it possible to do so with the traditional Oracle


>authentication mechanism (when a user changes password via alter)?


>





if you have 8.0, yes for the database.  (for apps, i don't know).  For the
database, you have your own procedure you can have run to validate a password is
'ok'.  see the server admin guide.



>Thank you very much for any help you can give me.. This is driving me


>crazy :)



 


Thomas Kyte


tkyte_at_us.oracle.com


Oracle Service Industries


Reston, VA   USA



--


http://govt.us.oracle.com/    -- downloadable utilities
 




Opinions are mine and do not necessarily reflect those of Oracle Corporation
Received on Fri Feb 26 1999 - 20:34:09 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US