Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle

Re: Verifying passwords have been changed in oracle

From: Stephen Harris <sweh_at_spuddy.mew.co.uk>
Date: Mon, 11 Nov 2002 14:29:06 -0500
Message-ID: <2e0pqa.dje.ln@spuddy.org>


Stephen Harris <sweh_at_spuddy.mew.co.uk> wrote:
> Kevin Grant <X.Tenag_at_znvyobk.th.rqh.nh> wrote:

>> It is based upon the theory that a given password for a given username will 
>> encrypt to the same value no matter what the database or OS version. (I've 

>
> If this is true then it makes life a lot easier for me (and also makes oracle
> a lot more open to dictionary attack...). I plan on building an Oracle 9i
> install on linux tomorrow (which should therefore be sufficiently different
> from the Solaris system I'm testing) and see if this true.

OK... so it looks like the hash is based purely on username/password.

Instance 1 has SID ora9test and is 9.1.0 on Solaris 8 Instance 2 has SID testdb and is 9.2.0 on Linux

On testdb, create user dummy2 identified by manager; on ora9test, create user dummy2 identified by values '42E010F450BDBA98';

             grant connect,resource to dummy2;
             conect dummy2/manager;

This works.

On both, 'alter user dummy2 identified by manager1' and both have the same hex string

However, the hex string '42E010F450BDBA98' (the "manager" password for dummy2) doesn't match the hex string for system on testdb.

These three accounts all have 'manager' as their password:

SQL> select username,password from dba_users where username='SYSTEM' or username like 'DUMMY%';

USERNAME                       PASSWORD
------------------------------ ------------------------------
DUMMY                          5DFC026608CAC3A7
DUMMY2                         42E010F450BDBA98
SYSTEM                         D4DF7931AB130E37

SQL> connect system/manager
Connected.
SQL> connect dummy/manager
Connected.
SQL> connect dummy2/manager
Connected.

So it _seems_ as if the hash is based purely on the username/password and doesn't have any database specific dependencies.

Can anyone confirm that this is correct? If so, I can use this as a method of checking the default accounts.

-- 
                                 Stephen Harris
                              sweh_at_spuddy.mew.co.uk
      The truth is the truth, and opinion just opinion.  But what is what?
       My employer pays to ignore my opinions; you get to do it for free.
Received on Mon Nov 11 2002 - 13:29:06 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US