Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How does Oracle protect (encrypt) user passwords in Oracle 8?.

Re: How does Oracle protect (encrypt) user passwords in Oracle 8?.

From: <javierpf_at_usa.net>
Date: Wed, 09 Feb 2000 17:49:24 GMT
Message-ID: <87s9b2$ltl$1@nnrp1.deja.com> 





In article <socr9ema23l.fsf_at_rwessman-sun.us.oracle.com>,
  Rick Wessman <rwessman_at_us.oracle.com> wrote:


> javierpf_at_usa.net writes:


>


> > Rick,


> >


> > I wonder if that modified DES algorithm is available in a function I


> > could execute and it could return the cyphertext as the result of


> > hashing the word entered by user as password.


> There is no such function available. However, there is somewhat of a


hack


> available that will do what you want. I described the method in a


recent


> response. You should be able to find it in dejanews.


>


>                                       Rick


>


> >


> > Javier.


> >


> > > The algorithm is a modified DES algorithm which is proprietary to


> > Oracle. In


> > > addition, the algorithm is one-way so there is no way to decrypt


it.


> > >


> > > javierpf_at_usa.net writes:


> > >


> > > > Hi all people!!


> > > >


> > > > Could you tell me how Oracle stores the passwords?. I mean, what


> > > > encryptation method Oracle uses?. Is there a tool to decrypt the


> > > > passwords?.


> > > >


> > > > I am trying to check the quality of the password used by users


and I


> > > > could not find any tool or way to decrypt them.


> > > >


> > > > I would also like to use the same encryption method to encode


> > password


> > > > managed internally by an application.


> > > >


> > > > Thanks.


> > > >


> > > >


> > > > Sent via Deja.com http://www.deja.com/


> > > > Before you buy.


> > >


> > > --


> > >                                         Rick


> > >                                         Rick Wessman


> > >                                         Security and Directory


> > Technologies


> > >                                         Server Technologies


> > >                                         Oracle Corporation


> > >                                         rwessman_at_us.oracle.com


> > >


> > >        The statements and opinions expressed here are my own and


do


> > not


> > >              necessarily represent those of  Oracle Corporation.


> > >


> >


> >


> > Sent via Deja.com http://www.deja.com/


> > Before you buy.


>


>      The opinions expressed above are mine and do not necessarily


reflect


>                          those of Oracle Corporation.


>





Rick,



It is great pleasure to talk directly with Oracle's people, specially
with security colleagues.



Thanks for your soon response.



I wasn't trying to hack the password, if so I know a better method:



1- Set a verification function as Password_verification_function in
your users profile.


2- Inside the function, store user name and password passed by
parameter in a table.


3- Limit the expiration date of user accounts by setting the
password_life_time  profile parameter to oblige them to change his/her
password.


4- That's it! You have decrypted password next time users change their
own ones.




Javier Pflaum


Data Security Analyst


CTi Movil S.A. (Argentina)


Jpflaum_at_cti.com.ar




Sent via Deja.com http://www.deja.com/



Before you buy.
Received on Wed Feb 09 2000 - 11:49:24 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US