Re: validate password within PL/SQL?

From: Justin Cave <>
Date: 13 Dec 2003 01:51:08 -0800
Message-ID: <> wrote in message news:<brdc6p$vlr$>...
> Hi! I'm looking for a way to validate a password within PL/SQL. I want to
> write
> CREATE PROCEDURE change_password(old_password IN VARCHAR2)
> IS
> -- check if old_password is correct... but how?

The easiest way I could envision doing something like this would be to create a Java stored procedure that attempted to connect with the supplied username & password.

> OK, here's an idea! I can create a dummy user identified by the supplied
> old_password, then SELECT PASSWORD FROM DBA_USERS to see if the hashed
> password of the dummy user matches the hashed password of the application
> user... nope, didn't work! Apparently the algorithm doesn't have a simple 1
> clear-text-password: 1 hashed-password mapping; each username/password
> combination gets a different result.

I'd strongly suspect that the hash takes into account at least the username & the machine the database is on. It would be really unfortunate if I could take information from DBA_USERS on the production machine, copy it over to my laptop, and start cracking passwords. Not incorporating username & machine information into the hash's salt would allow this sort of thing, so I'm pretty darn certain Oracle doesn't allow it.

Justin Cave
Distributed Database Consulting, Inc. Received on Sat Dec 13 2003 - 10:51:08 CET

Original text of this message