Re: Allowing users to change passwords

[Quoted] May I suggest the following :

• Save the value of the PASSWORD column in DBA_USERS, i.e. in the variable OldEncryptedPwd
• Use the Old Password value provided by the user and do the following :

ALTER USER MyUser IDENTIFIED BY OldPassword;

• Compare the new value of PASSWORD column with value of variable OldEncryptedPwd
• If it's the same, proceed with :

ALTER USER MyUser IDENTIFIED BY NewPassword;

• if not, go back to the REAL old password by doing the following :

ALTER USER MyUser IDENTIFIED BY VALUES 'OldEncryptedPwd';

and issue an error message.

[Quoted] Steve B <steve.bright_at_capgemini.co.uk> a écrit dans l'article <85ktn9$god$1_at_taliesin2.netcom.net.uk>...
> We have a number of users accessing an 8.1.5 database via OAS
4.0.8......we
> have given the users a bit of functionality allowing them to change their
> passwords...basically they kick of a stored procedure which, by using
> dynamic SQL issues the "alter user STEVEB identified by <new password>;"
> DDL....
>
> This works fine, no problems. However any user can go to a machine that
> another user has been using and, via the browser interface, alter the
> previous users password....not good....
>
> What I need are a few good ideas to prevent this...ie force the user to
> enter their old password and the new password ( as is common on NT
systems
> for passsword changing ) and validate the old password before changing to
> the new...
>
> One way I've thought of is to call an external procedure from the invoked
> procedure which tries to connect to the same DB using the username and
> supplied ( old ) password.....If this fails then raise an error, if it
works
> then one can assume that the old password is OK so then disconnect and
> continue as usual....
>
> Any other ideas ( I don't particularly want to keep the passwords in a
table
> against the username )
>
>
> Cheers
>
> Steve B
>
> steve.bright_at_capgemini.co.uk
>
>
>
>
Received on Fri Jan 14 2000 - 14:46:51 CET