Re: Oracle password encryption algorithm?SKIP
Date: 6 Jul 1993 02:57:16 GMT
Message-ID: <21apmc$121_at_gaia.ucs.orst.edu>
In article <1993Jul1.134033.1_at_cbr.hhcs.gov.au> pihlab_at_cbr.hhcs.gov.au writes:
>In article <1993Jun30.154324.1_at_cissys>, trahan_at_cissys.read.tasc.com (Dave Trahan) writes:
>>
>> Does anyone know what algorithm Oracle uses to encrypt user passwords?
>
>Hopefully, only Oracle and it's well guarded. If everyone knew the algorithm
>then there would be no point in having a password because the encrypted value
>is stored (visible) in the database and you could run a program to crack
>anyone's account.
[some deleted]
>> I'm trying to write a tool to find users who have set their Oracle password
>> to be the same as their Oracle username. I'm familiar with the method used
>> in such system tools as COPS, and I'm trying to apply the same technique
>> to Oracle, but without the encryption algorithm, I'm kinda stuck. I heard
>> it was based on the Unix 'crypt' algorithm, but with a minor change.
>>
>>
>> Any thoughts?
>
>Yes. Write a tool that tries to logon with a password equal to the username
>for EACH Oracle account you have. If it succeeds in logging in then you can
>tell them to get their act together otherwise you can assume it's
>reasonably safe. You could keep a checklist of passwords to try : like
>first name, last name, middle name, Oracle Userid, Operating System
>Userid, etc etc etc.
Yeah, if you are concerned at all about security of your database, DON'T do this. This makes your database system just as unsecure as the Unix box if you were to allow the same thing on it........
-Paul
-- Paul M. Mickel Internet:mickel_at_oes.orst.edu Database Programmer, Teledyne Wah Chang Albany, OR 97321 Disclaimer: My employer never claims my opinions (unless it makes a profit).Received on Tue Jul 06 1993 - 04:57:16 CEST