Re: validate password within PL/SQL?

From: FaheemRao <faheemrao_at_yahoo.com>
Date: 12 Dec 2003 19:41:09 -0800
Message-ID: <43b58913.0312121941.74fb25bd_at_posting.google.com>

I may not be able to help you excatly what are u trying to do , but here is one tip .may it help you.
For example
if you get the hashed values of a passward say "ABC" and hashed values is say "qwer" now you change the psswrd ABC to "def". Now do this

alter user test identified by 'qwer' .

now the passward is again ABC
;)

Faheem

arktikturtle_at_correctthe_spelling.yahoo.com wrote in message news:<brdc6p$vlr$1_at_news.netmar.com>...
> Hi! I'm looking for a way to validate a password within PL/SQL. I want to
> write
>
> CREATE PROCEDURE change_password(old_password IN VARCHAR2)
> IS
> BEGIN
> -- check if old_password is correct... but how?
>
> I can get the hashed value of the password from DBA_USERS, of course, but is
> there a way to hash old_password to see if it matches? (I wouldn't be
> surprised if Oracle doesn't supply access to its one-way password hashing
> algorithm... too useful for a password cracker...)
>
> I can't actually try a CONNECT statement from within PL/SQL, right? And even
> if I could, that would kill my current connection, right? That's no good...
>
> Of course, because the user logged in successfully, they obviously had the
> correct password at one point. But what if they logged in, left their desk,
> and now somebody else is trying to change their password? Limiting idle_time
> in the user's profile reduces the risk of this, but it's also really
> annoying, especially if the time is short enough to protect every stroll to
> the coffeepot.
>
> The PASSWORD command in SQL*Plus prompts for old password, but I'm trying to
> put this in a procedure that can be called from a GUI.
>
> OK, here's an idea! I can create a dummy user identified by the supplied
> old_password, then SELECT PASSWORD FROM DBA_USERS to see if the hashed
> password of the dummy user matches the hashed password of the application
> user... nope, didn't work! Apparently the algorithm doesn't have a simple 1
> clear-text-password: 1 hashed-password mapping; each username/password
> combination gets a different result.
>
> As you can see, I'm running out of ideas. Can anyone help?
>
> Thanks very much!
> - Catherine
> http://profiles.yahoo.com/arcticturtle
>
>
> ----- Posted via NewsOne.Net: Free (anonymous) Usenet News via the Web -----
> http://newsone.net/ -- Free reading and anonymous posting to 60,000+ groups
> NewsOne.Net prohibits users from posting spam. If this or other posts
> made through NewsOne.Net violate posting guidelines, email abuse_at_newsone.net
Received on Sat Dec 13 2003 - 04:41:09 CET

This message: [ Message body ]
Next message: Sven: "Re: need help with PL/SQL Procedure"
Previous message: FaheemRao: "Re: External Tables binding to Access?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message