Re: Oracle password encryption algorithm?

From: Ian A. MacGregor <ian_at_tethys.SLAC.Stanford.EDU>
Date: Thu, 1 Jul 1993 16:42:28 GMT
Message-ID: <C9Hvqs.BqC_at_unixhub.SLAC.Stanford.EDU>

In article <1993Jun30.154324.1_at_cissys>, trahan_at_cissys.read.tasc.com (Dave Trahan) writes:
|>
|> Does anyone know what algorithm Oracle uses to encrypt user passwords? Has
|> it changed in the last several versions (5,6,7)? Is there a "public" way
|> to access this routine? Is the algorithm the same on all platforms?
|>
|> I'm trying to write a tool to find users who have set their Oracle password
|> to be the same as their Oracle username. I'm familiar with the method used
|> in such system tools as COPS, and I'm trying to apply the same technique
|> to Oracle, but without the encryption algorithm, I'm kinda stuck. I heard
|> it was based on the Unix 'crypt' algorithm, but with a minor change.
|>
|>
|> Any thoughts?
|>
|>
|> Dave Trahan
|> DETRAHAN_at_TASC.COm

The oracle password encyption algorithm always encrypts the plain text password string to the same encrypted string provided that the usernames are the same. Thus if you wrote

                   grant connect to scott identified by scott;

and then

                   select password from sys.dba_users
                   where username = 'SCOTT';

each time you ran the two statements, the encrypted password displayed by the second would be the same. However, if you were to write

                   grant connect to king identified by scott;

and then
                   select password from sys.dba_users
                   where username = 'KING';

the encrypted password would be different from the first example.

In order to test whether scott's password is scott you can do the following:

                   select password from sys.dba_users
                   where username = 'SCOTT';

carefully copy the encrypted password. Next issue

                    grant connect to scott identified by scott;

rerun

                    select password from sys.dba_users 
                    where username = 'SCOTT';

compare the two encrypted passwords. If they are the same then the original password for user scott was scott.

If not you'll need to restore the user's original password. You can do this with the following statement

             grant connect to scott 
            identified by values '<original_encrypted_password_string>';



                                 Ian MacGregor
                                 Stanford Linear Accelerator Center
                                 (415) 926-3528

Received on Thu Jul 01 1993 - 18:42:28 CEST

This message: [ Message body ]
Next message: Mark D Pollard: "client/server ms windows 3.1 applications development"
Previous message: Ruth Larson: "Re: Oracle password encryption algorithm?"
Maybe in reply to: Ruth Larson: "Re: Oracle password encryption algorithm?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message