Re: validate password within PL/SQL?

arktikturtle_at_correct_the_spelling.yahoo.com wrote in message news:<brdc6p$vlr$1_at_news.netmar.com>...
> Hi! I'm looking for a way to validate a password within PL/SQL. I want to
> write
>
> CREATE PROCEDURE change_password(old_password IN VARCHAR2)
> IS
> BEGIN
> -- check if old_password is correct... but how?

The easiest way I could envision doing something like this would be to create a Java stored procedure that attempted to connect with the supplied username & password.

> OK, here's an idea! I can create a dummy user identified by the supplied
> old_password, then SELECT PASSWORD FROM DBA_USERS to see if the hashed
> password of the dummy user matches the hashed password of the application
> user... nope, didn't work! Apparently the algorithm doesn't have a simple 1
> clear-text-password: 1 hashed-password mapping; each username/password
> combination gets a different result.

I'd strongly suspect that the hash takes into account at least the username & the machine the database is on. It would be really unfortunate if I could take information from DBA_USERS on the production machine, copy it over to my laptop, and start cracking passwords. Not incorporating username & machine information into the hash's salt would allow this sort of thing, so I'm pretty darn certain Oracle doesn't allow it.

Justin Cave
Distributed Database Consulting, Inc.
www.ddbcinc.com/askDDBC Received on Sat Dec 13 2003 - 10:51:08 CET