How Oracle stores password

I was hoping if any of you Oracle Gurus could help me out on this:

As far as I know Oracle stores passwords of users in digest form. As this is a one way irreversible process, there is no way to extract the original password back from this digest. Oracle just computes this digest whenever a user tries to logon to the database, and compares this with the stored digest and allows logons only if the computed and stored digest match. This is what I know (I may be wrong). My question is this : When a remote database is accessed via a database link, the local database creates a session on the remote database using the userid/password stored in the database link. This is fine when the database link connects as a fixed user, i.e the password is also stored in the database link. However if the database link is of type connected user, then Oracle opens a session on the remote database with the same userid/password as that of the local user. This means Oracle is able to compute the original password of the connected user from the digest stored in its data dictionary, and if Oracle can do it, obviously others can do it too.  This seems to be some kind of a security hole in the database. Can any of you folks explain what is going on? Thanks in advance.

Suvamoy Sen - Oracle DBA

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own Received on Tue Apr 13 1999 - 15:07:19 CDT