Re: Decode Oracle Password?

From: Thomas J Kyte <tkyte_at_us.oracle.com>
Date: 1996/03/20
Message-ID: <4iov53$ko7_at_inet-nntp-gw-1.us.oracle.com>#1/1

dtrahan_at_tyler.ultranet.com (David Trahan) wrote:

>tkyte_at_us.oracle.com (Thomas J Kyte) wrote:
 

>>dtrahan_at_tyler.ultranet.com (David Trahan) wrote:
 

>>>qq45_at_liverpool.ac.uk (Ms. D.H. Harvey) wrote:
 

>>>>Is there any way to decode an oracle user's password? We'd like to
>>>>check those of users accessing our server over our network are not
>>>>easily guessable.
 

>>>> TIA
>>>> Helen
 

>>>SQL<>SECURE from BrainTree Technology does this and much more.
>>>See http://www.sqlsecure.com, email to info_at_sqlsecure.com or
>>>call (617) 982-0200
 

>>You don't mean the SQL<>SECURE decode's oracle passwords do you?
 

>Indirectly - yes it does. It can check each user's password against
>a dictionary of supplied words, the username, and common keyboard
>combinations and determine if the password is weak. If the password
>is weak, it is flagged as such but the actual password value is not
>reported to the user since it would obviously be a glaring security
>violation (obviously - though - the software knows what the password
>is).

Right, just clearing it up. You **can't** decode an Oracle password (directly or indirectly). A sufficiently priveleged account (one with select on sys.dba_users and ALTER ANY USER) can 'guess' at passwords. You can of course audit this activity.

> Dave
 

>Dave Trahan
>dtrahan_at_ultranet.com

Thomas Kyte
tkyte_at_us.oracle.com
Oracle Government

---

opinions and statements are mine and do not necessarily reflect the opinions of Oracle Corporation. Received on Wed Mar 20 1996 - 00:00:00 CET