Return-Path: X-Original-To: oracle-l@orafaq.com Delivered-To: oracle-l@orafaq.com Received: from puck1183.startdedicated.com (localhost [127.0.0.1]) by puck1183.startdedicated.com (Postfix) with ESMTP id 12F8E1960596 for ; Thu, 7 Jul 2016 15:34:34 +0200 (CEST) Received: from turing.freelists.org (turing.freelists.org [206.53.239.180]) by puck1183.startdedicated.com (Postfix) with ESMTPS for ; Thu, 7 Jul 2016 15:34:34 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id E2815241FB; Thu, 7 Jul 2016 09:34:32 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at turing.freelists.org Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lWoihxm8UTiJ; Thu, 7 Jul 2016 09:34:32 -0400 (EDT) Received: from turing.freelists.org (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 0116E2488C; Thu, 7 Jul 2016 09:34:19 -0400 (EDT) Received: with ECARTIS (v1.0.0; list oracle-l); Thu, 07 Jul 2016 09:32:58 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id C4DE9241FB for ; Thu, 7 Jul 2016 09:32:57 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7oG8P1KnCxsU for ; Thu, 7 Jul 2016 09:32:57 -0400 (EDT) Received: from mail-qk0-f175.google.com (mail-qk0-f175.google.com [209.85.220.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id 83FA4241D4 for ; Thu, 7 Jul 2016 09:32:57 -0400 (EDT) Received: by mail-qk0-f175.google.com with SMTP id 82so14031206qko.3 for ; Thu, 07 Jul 2016 06:32:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=p7xZnDq8Cr8cAolR1f843STdN5bz2kmVlGyIpf8aeXg=; b=PHVuOyV3YyluVKpt+sKJSiWNL6LmTltf8y3JQhltSiFv/G4rAlqUsfoIHYQtQ1Ml9/ tjmSKdtkAuwMsWh0mx+yApJrfR4aKvvEjp0lI5KnwYbwbSe4vWoH5JPQhRPQZ7CeuidH jvLzkKFpDDIo5knI+uF9TDKmTxmgDGcHqN/NRTaupDJSniz+rsMgv4huXkQ6IdB2pBJO fSRckj/6nSEqMvlUwf6jCTgNtdkxrTB+wHxg5vJ2O1HmxuX5+F5I4253cj7PdEYdKd49 Uh/ClYGg7u8OIeexNuZ9DFPcd+D2D7vmq8ho4QCdUl9KpTdFYMI18qDvXqqmVwsg/GYu iGQg== X-Gm-Message-State: ALyK8tJURBbMl4mnzScfYeYuAb28Nct7w5S3/6w8tFBAGhgZgB/jALPvP+g7WUeb7F7CU0q/vlxAZYvdk00yKQ== X-Received: by 10.55.183.129 with SMTP id h123mr219334qkf.105.1467898377029; Thu, 07 Jul 2016 06:32:57 -0700 (PDT) MIME-Version: 1.0 Received: by 10.200.34.132 with HTTP; Thu, 7 Jul 2016 06:32:56 -0700 (PDT) In-Reply-To: References: <577D96E8.60502@gmail.com> <577DA534.2090905@gmail.com> <016201d1d808$763be5f0$62b3b1d0$@comcast.net> From: Andy Klock Date: Thu, 7 Jul 2016 09:32:56 -0400 X-Google-Sender-Auth: jNd6Bo_gMoShxPUs0IArc-nAcp4 Message-ID: Subject: Re: Passwords in DBA_USERS (Oracle 12c) To: Chris Taylor Cc: dimensional.dba@comcast.net, Mladen Gogala , oracle-l Content-Type: multipart/alternative; boundary=94eb2c06af4054851505370bb9b2 X-archive-position: 65469 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: andy@oracledepot.com Precedence: normal Reply-To: andy@oracledepot.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l --94eb2c06af4054851505370bb9b2 Content-Type: text/plain; charset=UTF-8 All your points are valid Chris. My absurdity comment is about the Oracle software allowing someone to log into someone else's account and then reset the password back to its previous state. This is a gaping security hole that should be filled. Removing PASSWORD from DICTIONARY access was a step in the right direction. Those hashes shouldn't be considered unbreakable. Didn't meant to imply that the Mladen was doing anything wrong. On Thu, Jul 7, 2016 at 9:16 AM, Chris Taylor < christopherdtaylor1994@gmail.com> wrote: > Having the password "somewhere" is important so I'm not sure if Andy is > suggesting it's absurd to have it anywhere in the database or not. But for > at least one case it's terribly important and that is supporting legacy > applications. > > Sometimes you need to be able to login as an application schema to create > an object such as a materialized view or database link that is either > exceptionally difficult or impossible to do UNLESS you are logged in as the > schema owner. > The DBA may not have access to the schema password but can preserve the > password by looking at sys.user$ for the encrypted password, temporarily > change it, create the object (db link or MV), then change the password back > without ever affecting the application (or briefly affecting the > application at least). > > Thanks, > Chris > > --94eb2c06af4054851505370bb9b2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
All your points are valid Chris.=C2=A0 My absurdity commen= t is about the Oracle software allowing someone to log into someone else= 9;s account and then reset the password back to its previous state. This is= a gaping security hole that should be filled.=C2=A0Removing PASSWORD from = DICTIONARY access was a step in the right direction. Those hashes shouldn&#= 39;t be considered unbreakable.=C2=A0

Didn't meant t= o imply that the Mladen was doing anything wrong.=C2=A0

On Thu, Jul 7, 2016 at 9:16 AM, C= hris Taylor <christopherdtaylor1994@gmail.com> wrote:
Having the password "somewhere&= quot; is important so I'm not sure if Andy is suggesting it's absur= d to have it anywhere in the database or not.=C2=A0 But for at least one ca= se it's terribly important and that is supporting legacy applications.<= /div>

Sometimes you need to be ab= le to login as an application schema to create an object such as a material= ized view or database link that is either exceptionally difficult or imposs= ible to do UNLESS you are logged in as the schema owner.
The DBA may not have access to the= schema password but can preserve the password by looking at sys.user$ for = the encrypted password, temporarily change it, create the object (db link o= r MV), then change the password back without ever affecting the application= (or briefly affecting the application at least).

Thanks,
Chris


--94eb2c06af4054851505370bb9b2-- -- http://www.freelists.org/webpage/oracle-l