Re: Decode Oracle Password?
Date: 1996/03/20
Message-ID: <4ip0l0$5cg_at_caesar.ultra.net>#1/1
tkyte_at_us.oracle.com (Thomas J Kyte) wrote:
>dtrahan_at_tyler.ultranet.com (David Trahan) wrote:
>>tkyte_at_us.oracle.com (Thomas J Kyte) wrote:
>>>dtrahan_at_tyler.ultranet.com (David Trahan) wrote:
>>>>qq45_at_liverpool.ac.uk (Ms. D.H. Harvey) wrote:
>>>>>Is there any way to decode an oracle user's password? We'd like to
>>>>>check those of users accessing our server over our network are not
>>>>>easily guessable.
>>>>> TIA
>>>>> Helen
>>>>SQL<>SECURE from BrainTree Technology does this and much more.
>>>>See http://www.sqlsecure.com, email to info_at_sqlsecure.com or
>>>>call (617) 982-0200
>>>You don't mean the SQL<>SECURE decode's oracle passwords do you?
>>Indirectly - yes it does. It can check each user's password against
>>a dictionary of supplied words, the username, and common keyboard
>>combinations and determine if the password is weak. If the password
>>is weak, it is flagged as such but the actual password value is not
>>reported to the user since it would obviously be a glaring security
>>violation (obviously - though - the software knows what the password
>>is).
>Right, just clearing it up. You **can't** decode an Oracle password (directly
>or indirectly). A sufficiently priveleged account (one with select on
>sys.dba_users and ALTER ANY USER) can 'guess' at passwords. You can of course
>audit this activity.
Clearly, it does not "descramble" passwords - this is impossible since Oracle uses one-way encryption. What the original poster was asking for was a way to identify weak passwords. We do that.
Dave
Dave Trahan
dtrahan_at_ultranet.com
Received on Wed Mar 20 1996 - 00:00:00 CET