Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: How does Oracle protect (encrypt) user passwords in Oracle 8?.
In article <socr9ema23l.fsf_at_rwessman-sun.us.oracle.com>,
Rick Wessman <rwessman_at_us.oracle.com> wrote:
> javierpf_at_usa.net writes:
>
> > Rick,
> >
> > I wonder if that modified DES algorithm is available in a function I
> > could execute and it could return the cyphertext as the result of
> > hashing the word entered by user as password.
> There is no such function available. However, there is somewhat of a
hack
> available that will do what you want. I described the method in a
recent
> response. You should be able to find it in dejanews.
>
> Rick
>
> >
> > Javier.
> >
> > > The algorithm is a modified DES algorithm which is proprietary to
> > Oracle. In
> > > addition, the algorithm is one-way so there is no way to decrypt
it.
> > >
> > > javierpf_at_usa.net writes:
> > >
> > > > Hi all people!!
> > > >
> > > > Could you tell me how Oracle stores the passwords?. I mean, what
> > > > encryptation method Oracle uses?. Is there a tool to decrypt the
> > > > passwords?.
> > > >
> > > > I am trying to check the quality of the password used by users
and I
> > > > could not find any tool or way to decrypt them.
> > > >
> > > > I would also like to use the same encryption method to encode
> > password
> > > > managed internally by an application.
> > > >
> > > > Thanks.
> > > >
> > > >
> > > > Sent via Deja.com http://www.deja.com/
> > > > Before you buy.
> > >
> > > --
> > > Rick
> > > Rick Wessman
> > > Security and Directory
> > Technologies
> > > Server Technologies
> > > Oracle Corporation
> > > rwessman_at_us.oracle.com
> > >
> > > The statements and opinions expressed here are my own and
do
> > not
> > > necessarily represent those of Oracle Corporation.
> > >
> >
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
>
> The opinions expressed above are mine and do not necessarily
reflect
> those of Oracle Corporation.
>
Rick,
It is great pleasure to talk directly with Oracle's people, specially with security colleagues.
Thanks for your soon response.
I wasn't trying to hack the password, if so I know a better method:
1- Set a verification function as Password_verification_function in
your users profile.
2- Inside the function, store user name and password passed by
parameter in a table.
3- Limit the expiration date of user accounts by setting the
password_life_time profile parameter to oblige them to change his/her
password.
4- That's it! You have decrypted password next time users change their
own ones.
Javier Pflaum
Data Security Analyst
CTi Movil S.A. (Argentina)
Jpflaum_at_cti.com.ar
Sent via Deja.com http://www.deja.com/
Before you buy.
Received on Wed Feb 09 2000 - 11:49:24 CST