Re: Help: How is password hashed in Oracle?

joebayer wrote:
> I am using Oracle 9206.
>
> One of the requests from my manager is asking me to provide all the users
> who is using the user_name as their password.
>
> But in DBA_USERS, password column is hashed, how could I get that list?
>
> I remember in Oracle, password is hashed by dbms_system.hash, or something
> like that, could anybody provide some help?
>
> Thanks

You've some good answers as to how to determine if this is the case. But the real issue is that it was ever allowed to happen in the first place. In 5 minutes you can make doing so impossible. Here' how:

Go to Morgan's Library at www.psoug.org
click on Profiles
scroll down to PASSWORD_VERIFY

Essentially all you have to do is create the function and then: ALTER PROFILE default LIMIT password_verify_function verify_function; After you set resource_limit = TRUE in your SPFILE.

The source code for the function is in $ORACLE_HOME/rdbms/admin and has been since version ... anyway a very long time. I'd suggest you then expire all passwords and force password expirations every 60-90 days.

Daniel Morgan
www.psoug.org Received on Thu May 04 2006 - 18:06:04 CDT