Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: How to compare passwords?

Re: How to compare passwords?

From: <javierpf_at_usa.net>
Date: Wed, 09 Feb 2000 17:25:17 GMT
Message-ID: <87s7to$kmh$1@nnrp1.deja.com> 






> Hi, Chris:


>


> There is no way to do what you want easily, unfortunately.


>


> However, there is one way that is somewhat of hack, but it will do


what you


> want. Have the application do the following:


>


> 1. Save the user's current password by selecting it out of DBA_USERS;


> 2. Change the password to be what the user password


>    ALTER USER user IDENTIFIED by password_given;


> 3. Select the new password out of DBA_USERS and compare the two;


> 4. If the passwords do not match, restore the current password. This


last step


> is VERY important.


>


> The difficulty with this approach is that if an error occurs and is


not


> caught, the user may be frozen out of the database because the


password will


> be incorrect.


>


>                                      Rick


>


> "Chris Ermlich" <cermlich_at_swri.edu> writes:


>


> > Hi folks,


> > I'm running into a verification problem. We are trying to provide an


> > authentication layer to an application where the app will check if


the user


> > entered a valid password. I can get the encrypted pw out od


DBA_USERS. Is


> > there a way to run the password encryption manually so I can


compare the


> > submitted password to the encrypted one out of DBA_USERS?


Obviously, there


> > is no way of getting the "real" password out of Oracle. The


authentication


> > is happening before the user logs on, so I can't just trap an


invalid logon


> > (e.g. viaVisual Basic ERR function).


> > Any advise would be appreciated.


> > Thanks,


> > Chris Ermlich


> > cermlich_at_swri.edu


> >


> >


> >


>


> --


>                                         Rick Wessman


>                                         Security and Directory


Technologies


>                                         Server Technologies


>                                         Oracle Corporation


>                                         rwessman_at_us.oracle.com


>


>        The statements and opinions expressed here are my own and do


not


>              necessarily represent those of  Oracle Corporation.


>





Hi people!




That is exactly what  I was looking for. Instead of user password I am
trying to check for the role password --I know those are in SYS.USER$--
  but I was thinking the same method than Chris.



Thanks Rick for your advise but I think changing role is worse than
changing user password. The effects will be disastrous.



Thus, I would like encrypt role password somewhere else and do -in some
way- what Oracle does when user enter his/her password.



I wonder if you could help and advice any encrypt-decrypt method to
store password. I wouldn't like to store the generation key in any
procedure or table. Is there some package for Oracle 8.0.5 or source
code to do that?.




Any comment will be appreciate.



Javier Pflaum


Data Security Analyst


CTi Movil S.A. (Argentina)


jpflaum_at_cti.com.ar




Sent via Deja.com http://www.deja.com/



Before you buy.
Received on Wed Feb 09 2000 - 11:25:17 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US