Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Password complexity Case Problem

Re: Password complexity Case Problem

From: Pete Finnigan <plsql_at_petefinnigan.com>
Date: Fri, 21 Nov 2003 19:11:28 +0000
Message-ID: <r4B6WcAgNmv$QxTp@peterfinnigan.demon.co.uk>


Hi Glen,

This is easy to answer, you are wasting your time because Oracle is not case sensitive for passwords even if they are encased in quotes. I posted an answer on the ORACLE-L list a few weeks ago to a similar question that Jared Still was trying to find a solution for. Here is an example proving that passwords are not case sensitive:

<quote>
Oracle is not case sensitive for passwords even when the password is set using quotes. See for example:

SQL> connect system/manager_at_zulia
Connected.
SQL> -- create a user no quotes lower case SQL> create user jared identified by jared;

User created.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- change the password, no quotes upper case SQL> alter user jared identified by JARED;

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- change the password, no quotes initcap SQL> alter user jared identified by Jared;

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- try now with quotes, upper case
SQL> alter user jared identified by "JARED";

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- with quotes, lower case
SQL> alter user jared identified by "jared";

User altered.

SQL> select password from dba_users where username ='JARED';

PASSWORD



C142CAC4DE964694 SQL> -- with quotes initcap
SQL> alter user jared identified by "Jared";

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



C142CAC4DE964694 As you can no doubt see the hash is the same no matter what case is used and also even if the password is encased in quotes. This seems to defy the logic of using quotes to use any character such as:

SQL> alter user jared identified by "£$%^";

User altered.

SQL> select password from dba_users where username='JARED';

PASSWORD



8248DF340D98455E

SQL> connect jared/"£$%^"@zulia
ERROR:
ORA-01045: user JARED lacks CREATE SESSION privilege; logon denied

Warning: You are no longer connected to ORACLE. SQL> connect system/manager_at_zulia
Connected.
SQL> grant create session to jared;

Grant succeeded.

SQL> connect jared/"£$%^"@zulia
Connected.
SQL> why then if it allows the whole character set including control characters does it change letters to make ASCII letters case insensitive?

Anyway the point is from above the original OP cannot force a password to be case sensitive as Oracle does not recognise case for passwords. </quote>

hope this clarifies your issue

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Received on Fri Nov 21 2003 - 13:11:28 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US