Re: Oracle password encryption algorithm?
Date: Thu, 1 Jul 1993 16:42:28 GMT
Message-ID: <C9Hvqs.BqC_at_unixhub.SLAC.Stanford.EDU>
In article <1993Jun30.154324.1_at_cissys>, trahan_at_cissys.read.tasc.com (Dave Trahan) writes:
|>
|> Does anyone know what algorithm Oracle uses to encrypt user passwords? Has
|> it changed in the last several versions (5,6,7)? Is there a "public" way
|> to access this routine? Is the algorithm the same on all platforms?
|>
|> I'm trying to write a tool to find users who have set their Oracle password
|> to be the same as their Oracle username. I'm familiar with the method used
|> in such system tools as COPS, and I'm trying to apply the same technique
|> to Oracle, but without the encryption algorithm, I'm kinda stuck. I heard
|> it was based on the Unix 'crypt' algorithm, but with a minor change.
|>
|>
|> Any thoughts?
|>
|>
|> Dave Trahan
|> DETRAHAN_at_TASC.COm
The oracle password encyption algorithm always encrypts the plain text password string to the same encrypted string provided that the usernames are the same. Thus if you wrote
grant connect to scott identified by scott;
and then
select password from sys.dba_users where username = 'SCOTT';
each time you ran the two statements, the encrypted password displayed by the second would be the same. However, if you were to write
grant connect to king identified by scott; and then select password from sys.dba_users where username = 'KING';
the encrypted password would be different from the first example.
In order to test whether scott's password is scott you can do the following:
select password from sys.dba_users where username = 'SCOTT';
carefully copy the encrypted password. Next issue
grant connect to scott identified by scott;
rerun
select password from sys.dba_users where username = 'SCOTT';
compare the two encrypted passwords. If they are the same then the original password for user scott was scott.
If not you'll need to restore the user's original password. You can do this with the following statement
grant connect to scott identified by values '<original_encrypted_password_string>'; Ian MacGregor Stanford Linear Accelerator Center (415) 926-3528Received on Thu Jul 01 1993 - 18:42:28 CEST