Re: oracle passwd

From: Scott Anderson <dr_sql_at_netcom.com>
Date: Sun, 14 Feb 1993 03:47:26 GMT
Message-ID: <1993Feb14.034726.10195_at_netcom.com>

In article <14011_at_davids> davids_at_Software.Mitel.COM (David So) writes:
>just for curisosity, anyone knows how to decode the passwd stored in
>dba_users?

Oracle uses "one-way" encryption, not an encoding scheme. The password is encrypted (characters within the password are used to calculate the encrypted password) and then stored. When a logon occurs, the password given is also encrypted and the encrypted values are compared. The database doesn't know the password.

In theory, this means that more than one password will work. I think that a password of A and AA used to encrypt to the same value, but I haven't tried in quite a while. Now (also theoretically) if you knew the formula used for encryption, you could generate the domain of possible answers through a brute force algorithm that tried every combination of characters until you stumbled on one that encrypted to the same value (by the way, two people with the same password have the same encrypted password, which I think is a flaw that could be corrected by simply using the account as part of the encryption algorithm). Anything else (reversing the algorithm and plugging in the encrypted passord) isn't very likely even if you knew the algorithm.

	To demonstrate:
	Let's say we have placed the ascii value of each character of the
        password in P1 through P8.  We could "one way" encrypt it using a
	very simple algorithm:

	ep = chr((p2+p4+p6+p7)/4) || chr((p1-p7+p8+p3+p5)/4) ||
	     chr((p1+p2+p4+p5+p7+p8)/6) || chr((p2+p3+p5+p6+p7)/5) ||
	     chr((p7+p8)/2) || chr((p1+p2+p3+p4+p5+p7)/6) ||
	     chr((p1+p3+p5+p6+p8)/5) || chr((p1+p3+p4+p5+p6+p7)/6)

	You can see that each character of the encrypted password is actually

based on characters from other positions in the original password. So the solution for any character is dependent on knowing the other characters. This example suffers somewhat from the fact that I was dividing, a better method would be to have some multiplying, some obscure (prime) constants, and then for each character divide by 192 (usable ascii characters) and take the remainder. That would yield more changeable results (what I did was to use the average character). Hope this explains this for you.

			Regards,
			   Dr*SQL
			   dr_sql_at_netcom.com.com

Received on Sun Feb 14 1993 - 04:47:26 CET

This message: [ Message body ]
Next message: AI4CPHYW_at_MIAMIU.BITNET: "Help with Sequences Needed"
Previous message: Eric Vyncke: "PRINT-key in Forms"
In reply to: David So: "oracle passwd"
In reply to David So: "oracle passwd"
Next in thread: champs_at_hhcs.gov.au: "Re: UPDATE A with B"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message