Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle
Stephen Harris <sweh_at_spuddy.mew.co.uk> wrote:
> Kevin Grant <X.Tenag_at_znvyobk.th.rqh.nh> wrote:
>> It is based upon the theory that a given password for a given username will >> encrypt to the same value no matter what the database or OS version. (I've
OK... so it looks like the hash is based purely on username/password.
Instance 1 has SID ora9test and is 9.1.0 on Solaris 8 Instance 2 has SID testdb and is 9.2.0 on Linux
On testdb, create user dummy2 identified by manager; on ora9test, create user dummy2 identified by values '42E010F450BDBA98';
grant connect,resource to dummy2; conect dummy2/manager;
On both, 'alter user dummy2 identified by manager1' and both have the same hex string
However, the hex string '42E010F450BDBA98' (the "manager" password for dummy2) doesn't match the hex string for system on testdb.
These three accounts all have 'manager' as their password:
SQL> select username,password from dba_users where username='SYSTEM' or username like 'DUMMY%';
USERNAME PASSWORD ------------------------------ ------------------------------ DUMMY 5DFC026608CAC3A7 DUMMY2 42E010F450BDBA98 SYSTEM D4DF7931AB130E37
SQL> connect system/manager
Connected.
SQL> connect dummy/manager
Connected.
SQL> connect dummy2/manager
Connected.
So it _seems_ as if the hash is based purely on the username/password and doesn't have any database specific dependencies.
Can anyone confirm that this is correct? If so, I can use this as a method of checking the default accounts.
-- Stephen Harris sweh_at_spuddy.mew.co.uk The truth is the truth, and opinion just opinion. But what is what? My employer pays to ignore my opinions; you get to do it for free.Received on Mon Nov 11 2002 - 13:29:06 CST