Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Verifying passwords have been changed in oracle

Re: Verifying passwords have been changed in oracle

From: I.A. Saez <i.a.saez.scheihingGEENSPAM_at_tue.nl>
Date: Tue, 12 Nov 2002 15:09:05 +0100
Message-ID: <3DD10B81.B35C5EA0@tue.nl> 





Many, many many moons ago Oracle used the Purdy method to hash passwords
(Oracle version 4).


It's so long ago that I'm not sure  about Purdy (I'm not even sure if this is
spelled correctly). Which hash/encryption
Oracle nowadays use is unknown to me.



kind regards,



Ivan



Stephen Harris wrote:



> Joe Kazimierczyk <joekazimierczyk_at_netscape.net> wrote:

> > I don't think that Oracle publishes how the password has is made,

>

> No, they don't seem to... which strikes me as slightly absurd, unless

> there is a known weakness in the algorithm.  crypt() on unix, for example,

> is a one way hash just like the oracle password is meant to be, and the

> algorithm for that (and source code) is well known.  Ah well.

>

> > my own experience, you observations are correct:  A username/password

> > pair generates the same hash in oracle version 7.x thu 9.2, whether

> > it's Solaris, Linux, Irix, HP-UX, VMS, NT...  The hash is different

>

> That's useful to know.  Thanks!

>

> > Thinking about it, having the same password hash across platforms

> > and versions is the only way that export/import can work across

> > platforms and versions without requiring password resets after import.

>

> Well, each database instance could have a random value stored in the

> data dictionary somewhere, and this value used to permute the hash

> algorithm.  So an exp/imp would keep that value and the resulting

> database still work.  Or, as with the unix crypt(), having a potential

> 2^10 hashes for each password, making dictionary based attacks that much

> harder (have to do the encryption each time based on the password salt,

> rather than precomputed hashes).

>

> So there are ways Oracle could have made the hash different each time.

> This seems to add credence to the "weak algorithm" theory.  Ah well.

>

> I'm going forward on the assumption that the hex string will be the same

> each time.  It seems to work :-)

>

> Thanks for your (and everyone elses) help!

>

> --

>                                  Stephen Harris

>                               sweh_at_spuddy.mew.co.uk

>       The truth is the truth, and opinion just opinion.  But what is what?

>        My employer pays to ignore my opinions; you get to do it for free.

Received on Tue Nov 12 2002 - 08:09:05 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US