Return-Path: <oracle-l-bounce@freelists.org>
X-Original-To: oracle-l@orafaq.com
Delivered-To: oracle-l@orafaq.com
Received: from puck1183.startdedicated.com (localhost [127.0.0.1])
 by puck1183.startdedicated.com (Postfix) with ESMTP id 847CE196018D
 for <oracle-l@orafaq.com>; Thu,  7 Jul 2016 15:59:46 +0200 (CEST)
Received: from turing.freelists.org (turing.freelists.org [206.53.239.180])
 by puck1183.startdedicated.com (Postfix) with ESMTPS
 for <oracle-l@orafaq.com>; Thu,  7 Jul 2016 15:59:46 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 696F225149;
 Thu,  7 Jul 2016 09:58:27 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at turing.freelists.org
Received: from turing.freelists.org ([127.0.0.1])
 by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id nNBBU359Ndg2; Thu,  7 Jul 2016 09:58:27 -0400 (EDT)
Received: from turing.freelists.org (localhost [127.0.0.1])
 by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 86D5424FB6;
 Thu,  7 Jul 2016 09:58:14 -0400 (EDT)
Received: with ECARTIS (v1.0.0; list oracle-l); Thu, 07 Jul 2016 09:56:52 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
 by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 7D62224D79
 for <oracle-l@freelists.org>; Thu,  7 Jul 2016 09:56:52 -0400 (EDT)
Received: from turing.freelists.org ([127.0.0.1])
 by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id vmQYhOv1GFgD for <oracle-l@freelists.org>;
 Thu,  7 Jul 2016 09:56:52 -0400 (EDT)
Received: from mail-qk0-f179.google.com (mail-qk0-f179.google.com [209.85.220.179])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTPS id 4906424D29
 for <oracle-l@freelists.org>; Thu,  7 Jul 2016 09:56:51 -0400 (EDT)
Received: by mail-qk0-f179.google.com with SMTP id e3so14826403qkd.0
        for <oracle-l@freelists.org>; Thu, 07 Jul 2016 06:56:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:cc:from:message-id:date
         :user-agent:mime-version:in-reply-to;
        bh=QSVspJUPwhQW2E+n4fpsyls2mC+Z47WOgOc/UKySlVc=;
        b=X78HV4y76f7Uyx+IClI+E5hoainDt5HqDKml5TTkoATZOjF9cgkn/otfYhIlpm5yIM
         SQ4ly9AC63m/eIHH9O3vlUeRj8z4snp33MjHw9azHF/Bn9NYkHkvZMWYG7KotvgEzpI+
         Syn6l1fzwlY9YdbzBNiPeP7T/jTU8OwtnOMw+3QK0ZE+tFDeyifY0eUvF0xtuHol95wm
         CozLzb+tPQrh6Q4VoylnFP6+zvJInkNO3/cVyvfvVW0Vzd688hJ6hHUUSNXnni7mTM8K
         2X/O5CpHfAjRMNUcjtV0nPDdGf9OIfUymg/tDCm5LJuE/MgWWq18WDdS7fnt6en1Qxjn
         o7tA==
X-Gm-Message-State: ALyK8tIcwd2RwLMq4qGihCLsXkSOUnMB5ZezhJlOBABiO41tJe+ibcxVoHvI4uLSqVcyKQ==
X-Received: by 10.55.200.137 with SMTP id t9mr442995qkl.128.1467899811275;
        Thu, 07 Jul 2016 06:56:51 -0700 (PDT)
Received: from [192.168.1.100] (cpe-72-226-85-94.nyc.res.rr.com. [72.226.85.94])
        by smtp.gmail.com with ESMTPSA id 56sm2185200qtt.31.2016.07.07.06.56.50
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Jul 2016 06:56:50 -0700 (PDT)
Subject: Re: Passwords in DBA_USERS (Oracle 12c)
To: Andy Klock <andy@oracledepot.com>,
 Chris Taylor <christopherdtaylor1994@gmail.com>
References: <577D96E8.60502@gmail.com>
 <CAC540oiLsoSZ+26yqv0ecmFq8P__4+NbGQUPjQgLqGqjZPkEGQ@mail.gmail.com>
 <577DA534.2090905@gmail.com>
 <CADo_RaP=DgVAr6SsqF8WX+JNsyyBHBCqY+_BtW6XoZT05Kd_Ww@mail.gmail.com>
 <016201d1d808$763be5f0$62b3b1d0$@comcast.net>
 <CAP79kiTUN+7bixhP30F0CMH90+RdeWtBE7BAWSUH8b3kOvDuLA@mail.gmail.com>
 <CADo_RaMmO1hTeKfD3DoTZuQKLKU5+sbJ11fwm8mHYMUEs5JQmA@mail.gmail.com>
Cc: dimensional.dba@comcast.net, oracle-l <oracle-l@freelists.org>
From: Mladen Gogala <gogala.mladen@gmail.com>
Message-ID: <577E5FA2.9070902@gmail.com>
Date: Thu, 7 Jul 2016 09:56:50 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <CADo_RaMmO1hTeKfD3DoTZuQKLKU5+sbJ11fwm8mHYMUEs5JQmA@mail.gmail.com>
Content-Type: multipart/alternative;
 boundary="------------090704080601030605000502"
X-archive-position: 65471
X-ecartis-version: Ecartis v1.0.0
Sender: oracle-l-bounce@freelists.org
Errors-to: oracle-l-bounce@freelists.org
X-original-sender: gogala.mladen@gmail.com
Precedence: normal
Reply-To: gogala.mladen@gmail.com
List-help: <mailto:ecartis@freelists.org?Subject=help>
List-unsubscribe: <oracle-l-request@freelists.org?Subject=unsubscribe>
List-software: Ecartis version 1.0.0
List-Id: oracle-l <oracle-l.freelists.org>
X-List-ID: oracle-l <oracle-l.freelists.org>
List-subscribe: <oracle-l-request@freelists.org?Subject=subscribe>
List-owner: <mailto:mark.bobak@proquest.com>
List-post: <mailto:oracle-l@freelists.org>
List-archive: <http://www.freelists.org/archives/oracle-l>
X-list: oracle-l
--------------090704080601030605000502
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

If I had a choice, which is not the case, my preferred mechanism would 
be "ALTER SESSION SET CURRENT_SCHEMA", but that doesn't work. Scott Deas 
has an interesting mechanism for doing that, without going through the 
password reset.
As for hashes being unbreakable, SHA512 algorithm has not been broken 
yet. It produces 512 bit integer and it would take while to find the 
right combination of ASCII characters with such a hash, even with a 
super-computer, with thousands of CPU resources. That means that for all 
intents and purposes SHA512 is unbreakable.
Regards

On 07/07/2016 09:32 AM, Andy Klock wrote:
> All your points are valid Chris.  My absurdity comment is about the 
> Oracle software allowing someone to log into someone else's account 
> and then reset the password back to its previous state. This is a 
> gaping security hole that should be filled. Removing PASSWORD from 
> DICTIONARY access was a step in the right direction. Those hashes 
> shouldn't be considered unbreakable.
>
> Didn't meant to imply that the Mladen was doing anything wrong.
>
> On Thu, Jul 7, 2016 at 9:16 AM, Chris Taylor 
> <christopherdtaylor1994@gmail.com 
> <mailto:christopherdtaylor1994@gmail.com>> wrote:
>
>     Having the password "somewhere" is important so I'm not sure if
>     Andy is suggesting it's absurd to have it anywhere in the database
>     or not.  But for at least one case it's terribly important and
>     that is supporting legacy applications.
>
>     Sometimes you need to be able to login as an application schema to
>     create an object such as a materialized view or database link that
>     is either exceptionally difficult or impossible to do UNLESS you
>     are logged in as the schema owner.
>     The DBA may not have access to the schema password but can
>     preserve the password by looking at sys.user$ for the encrypted
>     password, temporarily change it, create the object (db link or
>     MV), then change the password back without ever affecting the
>     application (or briefly affecting the application at least).
>
>     Thanks,
>     Chris
>
>


-- 
Mladen Gogala
Oracle DBA
Tel: (347) 321-1217


--------------090704080601030605000502
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">If I had a choice, which is not the
      case, my preferred mechanism would be "ALTER SESSION SET
      CURRENT_SCHEMA", but that doesn't work. Scott Deas has an
      interesting mechanism for doing that, without going through the
      password reset. <br>
      As for hashes being unbreakable, SHA512 algorithm has not been
      broken yet. It produces 512 bit integer and it would take while to
      find the right combination of ASCII characters with such a hash,
      even with a super-computer, with thousands of CPU resources. That
      means that for all intents and purposes SHA512 is unbreakable.<br>
      Regards<br>
      <br>
      On 07/07/2016 09:32 AM, Andy Klock wrote:<br>
    </div>
    <blockquote
cite="mid:CADo_RaMmO1hTeKfD3DoTZuQKLKU5+sbJ11fwm8mHYMUEs5JQmA@mail.gmail.com"
      type="cite">
      <div dir="ltr">All your points are valid Chris.  My absurdity
        comment is about the Oracle software allowing someone to log
        into someone else's account and then reset the password back to
        its previous state. This is a gaping security hole that should
        be filled. Removing PASSWORD from DICTIONARY access was a step
        in the right direction. Those hashes shouldn't be considered
        unbreakable. 
        <div><br>
        </div>
        <div>Didn't meant to imply that the Mladen was doing anything
          wrong. <br>
          <div class="gmail_extra"><br>
            <div class="gmail_quote">On Thu, Jul 7, 2016 at 9:16 AM,
              Chris Taylor <span dir="ltr">&lt;<a
                  moz-do-not-send="true"
                  href="mailto:christopherdtaylor1994@gmail.com"
                  target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:christopherdtaylor1994@gmail.com">christopherdtaylor1994@gmail.com</a></a>&gt;</span>
              wrote:<br>
              <blockquote class="gmail_quote" style="margin:0 0 0
                .8ex;border-left:1px #ccc solid;padding-left:1ex">
                <div dir="ltr">
                  <div style="font-family:arial,helvetica,sans-serif">Having
                    the password "somewhere" is important so I'm not
                    sure if Andy is suggesting it's absurd to have it
                    anywhere in the database or not.  But for at least
                    one case it's terribly important and that is
                    supporting legacy applications.</div>
                  <div style="font-family:arial,helvetica,sans-serif"><br>
                  </div>
                  <div style="font-family:arial,helvetica,sans-serif">Sometimes
                    you need to be able to login as an application
                    schema to create an object such as a materialized
                    view or database link that is either exceptionally
                    difficult or impossible to do UNLESS you are logged
                    in as the schema owner.</div>
                  <div style="font-family:arial,helvetica,sans-serif">The
                    DBA may not have access to the schema password but
                    can preserve the password by looking at sys.user$
                    for the encrypted password, temporarily change it,
                    create the object (db link or MV), then change the
                    password back without ever affecting the application
                    (or briefly affecting the application at least).</div>
                  <div style="font-family:arial,helvetica,sans-serif"><br>
                  </div>
                  <div style="font-family:arial,helvetica,sans-serif">Thanks,</div>
                  <div style="font-family:arial,helvetica,sans-serif">Chris</div>
                  <div style="font-family:arial,helvetica,sans-serif"><br>
                  </div>
                </div>
              </blockquote>
            </div>
            <br>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Mladen Gogala
Oracle DBA
Tel: (347) 321-1217
</pre>
  </body>
</html>

--------------090704080601030605000502--
--
http://www.freelists.org/webpage/oracle-l