Re: Oracle Password Encryption Algorithm

Roeland Stouthart wrote:
>
> > I have a similar requirement in my Oracle app. A user, who does not
> > have the authority to perform a certain action should a certain
> > condition arise, needs to have a supervisor or co-worker who is
> > authorized validate the transaction. I can tell if the other person is
> > authorized because it is driven by the Oracle role mechanism. The
> > other person has to 'walk' over to the operators terminal, enter their
> > Oracle userID and password. If it matches, then I can permit the
> > transaction to proceed.
> >
> > This shouldn't be too difficult. I know that the password encryption
> > is only 1-way. Since it is easy to do this type of validation on the
> > Unix side, I thought someone might have done something similar on the
> > Oracle side.
> >
> > Dave Macpherson
> >
> As long as you haven't found the algorithm you could use an addition role
> with password for the user. Only after the authorizer typed his the
> password, the application can succesfully enable the role and the
> transaction can be completed.
>
> Roeland

What about setting aside a special userid, and test the co-worker's password by having your code change the special userid's password to the co-worker's value. Then, after Oracle has encrypted this, look into dba_users and compare the co-worker's actual userid's password with the special userid's password - they should now match.

Mike. Received on Thu Mar 20 1997 - 00:00:00 CET