Re: password encryption

"Andreas Moroder" <Andreas.moroder@[nospam]sb-brixen.it> wrote in message news:e6jjnj$kdt$1_at_news.dtag.de...
> Mark D Powell schrieb:
>> If you are referring to the interal database storage of passwords then
>> the password is not encrypted; it is hashed. A paper has been
>> published on how to break the Oracle hash, but I do not think the
>> approximate 20 day average time to crack the hash will work for your
>> purposes..
> ....
>
> hello Mark,
>
> no plans to crack it. Even the passwor in md5 are not encrypted but hashed
> with MD5. If even oracle uses md5 it should be possible to simply import
> the openldap passord into the oracle dba_users table and it should work.
>
> Bye
> Andreas

No, not MD5. Oracle uses proprietary hashing algorithm. As previously noted, there is a paper on cracking Oracle password hashes which describes the algorithm in detail. However, even if it was MD5, you couldn't "simply import the openldap passord into the oracle dba_users table", because it's not a table, but a view on top of a system table that's normally protected from direct modifications (of course, if you're SYSDBA, you can hack around the dictionary at will, but you will end up with an unsupported database at least and damaged beyond repair at worst.) One thing you can do is to write a password verification function and use dbms_ldap to sync the directory with the password being verified. This will allow you to sync Oracle to LDAP, but not back (not what you want.) Another way is to use Oracle Internet Directory and Advanced Security Option to have Oracle users authenticated globally. The docs say that third-party directory services are supported under certain conditions, too. This solution is pretty expensive though.

Regards,

   Vladimir M. Zakharychev
   N-Networks, makers of Dynamic PSP(tm)    http://www.dynamicpsp.com Received on Tue Jun 13 2006 - 02:13:27 CDT