Re: Oracle password encryption algorithm?

From: Christian A. Ratliff <ratlifc_at_ctron.com>
Date: 6 Jul 1993 12:36:28 GMT
Message-ID: <21brkcINNfmd_at_ctron-news.ctron.com>

  Is this '<mypasswd>' in plaintext or encrypted? This concerns me as the Oracle rep I spoke with a few weeks ago told me that their security was impecable. Particularly since he said they did not pass any plaintext passwords over the network. However, listing it in the process table is just as bad. :)

In article <21apmc$121_at_gaia.ucs.orst.edu>, mickel_at_OES.ORST.EDU (Paul Mickel) writes:
> However, it makes no sense to encrypt the passwd if you can see it from the
> process table on the box running the application. I discovered this
> just the other day when I was killing some processes that were running
> sqlforms30. Doing a 'ps -fu extract' I found the following:
>
> 78977 78971 0:20 p2 sqlforms30 -c extract:vt220 extract/<mypasswd>
>
> (process numbers were different and the columns of table may be off a little,
> but did contain all this information.)
>
> While I didn't test this with other Oracle products that we had, the fact this
> occurred at all makes me wonder how extensive this problem is. By implication,
> I could gain the DBA's passwd while they are on and have LOTS of fun.....
>
> This is under Oracle version 6.0.36

thanks,
christian

---

Christian Ratliff                        Cabletron Systems, Inc.
EDGE System Developer                    Rochester, NH 03867
ratlifc_at_ctron.com  <NeXTmail OK>         Work: (603) 337-1209

"I'm a NeXTSTEP man; I'm an SGI guy." Home: (207) 780-NeXT Nobody at Cabletron knows, approves of, or recalls my opinions. Received on Tue Jul 06 1993 - 14:36:28 CEST