Hi
Is there any ways or tables that I can see the password for the users in the database? Currently the password is being encrypted in the dba_users table...Please advice. Thanks!
Printable View
Hi
Is there any ways or tables that I can see the password for the users in the database? Currently the password is being encrypted in the dba_users table...Please advice. Thanks!
That's it! Passwords are stored hashed (one-way encryption) and can't be viewed en clair.
*Ooops! Then if i want to create a page and allow users to update their password after verification through the database, there is no way this can be done??
If the hashing algorithm is public (I don't know - anyone out there who does? a v.quick Google didn't find what I wanted) you can hash the value given by the user and compare it with the stored value. Otherwise you will have to create your own authentification system!
I don't understand this.Quote:
Originally posted by mooks
*Ooops! Then if i want to create a page and allow users to update their password after verification through the database, there is no way this can be done??
If user is allready connected to the database when changing the password, then what's the point in checking old password? He wouldn't be connected if he didn't know the old pasword. Simply let him only enter new password (twice).
If on the other hand user is not connected to the database, yet you wan't to allow him to change his database password, why don't you simply try to connect to the database with the old pasword he supplied during old password verification process? If connection succeeds you procerde with changing the password, if not the entered old password was not correct.
Or what am I missing here?
Hi Jurij,
The classic scenario is: the user logs on, goes off for coffee and someone else runs in & changes p/w. The other person can then access the application from elsewhere, until the original user has to log on again (say next morning) when the p/w mess gets sorted. Re-validating the p/w avoids this.
Yep, makes sence.Quote:
Originally posted by DaPi
Hi Jurij,
The classic scenario is: the user logs on, goes off for coffee and someone else runs in & changes p/w. The other person can then access the application from elsewhere, until the original user has to log on again (say next morning) when the p/w mess gets sorted. Re-validating the p/w avoids this.
Yes...u can see the paaswords.
Use this free tool:
http://home.earthlink.net/~adamshalo...sword_cracker/
well if you dont know the old password you cannot change the password right DaPi?
that tool is brute force, it´s like those password crackers for MS Office
That is exactly what mooks is trying to enforce by ensuring that the same person enters both old and new values at the same time.Quote:
Originally posted by pando
well if you dont know the old password you cannot change the password right DaPi?
That's baloney. That password cracker is only a toy (quite a harmless one, I would add). It's attack is based on utilizing "brute force" - it tries all possible passwords from the supplied dictionary, hashes them using the Oracle's hash alghorytm and see if they match to the real hashed password. Now I can assure you that by using this toy you will not be able to see plain passwords on any system with decent pasword security standards enforced.Quote:
Originally posted by freedba
Yes...u can see the paaswords.
Use this free tool:
http://home.earthlink.net/~adamshalo...sword_cracker/
NOW THIS IS WHAT WE WANT. Jurij, do you know any refs to the algorithm? With that mooks can build p/w checking into his application.Quote:
Originally posted by jmodic
hashes them using the Oracle's hash alghorytm
No, I think he wants to know user´s password so he can reset them and not because he wants to know the old password in order to change to a new one. Well at least in many places I have seen is if some user forgets his password what it normally does is ask the corresponding department to reset to a satndard password and not to his old password.
Also we dont know what tool is he talking about so I am not sure, but talking from command line tools like sqlplus it asks you the old password before change to a new one, my point was if a guy does not know the old password how can he change someone else password?
Hmm even you know the algorithm what can you do with a hashed value...? It´s one way as you said it, no way to unhash
No, but I guess it can't be any top secret. After all, you can buy full version of that password cracker for 4 dollars, and with that you get its source code. So the algorithm is available for as cheap as 4.00$ :DQuote:
Originally posted by DaPi
Jurij, do you know any refs to the algorithm?
Reply to pando:
1) user enters old p/w and new p/w (twice)
2) application hashes old p/w and compares with stored value in db
3) if (2) is OK, application executes an ALTER USER
In almost all security environments I've been in, p/w change is forced after n days and the user also has the option to change p/w more frequently (which is what mooks is trying to do). Windows can do this, AS/400, etc
. . . and todays trivia:
The word algorithm, besides being impossible to spell, is a corruption of Al-Khowarizmi, the name of a 9th century mathemetician http://www.aug.edu/dvskel/MichSP93.htm
We are talking same thing except what mooks tries to do, I dont see the point the need of knowing the old password from administrators view. If password expires after 30 days, applications prompts user to change their password, if they dont rememebr they call us, we do alter user identified by standard password, phone him back and that´s it? Or not?
My security view-point is determined by what auditors inflict upon me (in three very different business areas now).
a) The norm is that the user should manage his/her own password and be fully accountable for what is done using that userid/password combination. This requires the option to change it at will, e.g. if the end-user thinks it might have been compromised.
b) If, due to a forgotten password, the admin has to "alter user identified by standard password" then the end-user should be forced (or at least encouraged) to change it immediately. Otherwise the admin can impersonate the end user - as would be recorded in an application audit trail. (Obviously the admin doesn't need the old p/w.)
mooks doesn't say so, but I suspect his end-users are a long way away from a SQL> prompt and he wants to build a user-friendly way to allow the end-user to deal with the above two points.
I dont understand the first point. I mean the security I have seen so far has always been like that, user change their password at their will, but obviously they need to know their old password, if they dont know their only chance is ask the admin to reset their password to a standard password.
The other thing is, the point you mentioned to jmodic, if a X user doesnt know my password how can he change my password while I was in coffe or whatever? If he wants to change my password he must know my old password.
I still see what his intentions, he wants to know user´s password. For what? I dont know. Probably he doesnt want to use standard password, rather he wants to reset to user´s old password. The other day I phoned my ISP because I ad problems with my password (they kep on resetting to a new password and to the old one at their will)
The problem came when they told me in the phone:
"Ok sir, wait a sec I will check you password and see if I can login"
That was it! I thought, what the heck, a technical support knows my personal mail password??? Ok, so they store the plain password in a table then. That really made me feel unsecure! So my point is noone should know user´s old password! If user cant remeber it? Then the administrators will simply reset it to a standard password or to aother what the user asks.
The second you can do that with
alter user XXX identified by standard_pwd password expire;
when user enters it says
Code:lsc@LNX920-RAC1>alter user hr identified by std password expire;
User altered.
hr@LNX920>@conn hr
Enter password: std
ERROR:
ORA-28001: the password has expired
Changing password for hr
New password:
pando, I think mooks should be answering this, but . . . .
I don't think he wants to know the p/w, he wants to validate it; he said:
". . . i want to create a page and allow users to update their password after verification through the database . . "
in which case comparing hashed values will work.
If you connect succesfully with say SQLPlus and walk away from the PC what stops me (apart from geography) from typing ALTER USER ?
I would like to make one suggestion hear as far as application concern to validate user name and password you don’t have to grant ALTER USER privilege to user or don't need to know stored hashed value you can just simply write java stored procedure(JDBC), load java class into database and wrapped with PL/SQL function that will take care of user validation.
Minesh
Personally, I'd have the user input the three values (old pw, new pw, new pw), try to open a new connection with the old pw, issue the alter user... command, and close the connection.
Now that's the difference between giving someone what they ask for and giving someone what they need :) Spot on Jeff.Quote:
Originally posted by marist89
Personally, I'd have the user input the three values (old pw, new pw, new pw), try to open a new connection with the old pw, issue the alter user... command, and close the connection.
You could also try re-booting (If you're on Windoz, anyway... ) :D
. . . or recompiling the kernel . . .
... unless the security policies enforce the profile setting where each user can have no more than one concurrent connection to the database ....Quote:
Originally posted by marist89
Personally, I'd have the user input the three values (old pw, new pw, new pw), try to open a new connection with the old pw, issue the alter user... command, and close the connection.
Hi guys,
Thanks for all contributions. Basically I am not going to maintain the database so I want to make things easier for the users by creating a page for the users to change their password.
It seems like I will not be able to verify the old password from the database from all the contributed postings... many thanks! :)
One more question...
I have grant the user with alter user privileges, however when i execute the script, i am having an insufficient privileges error, is there anything that i have missed out? :rolleyes:
v_sql := 'alter user ... identified by ...';
EXECUTE IMMEDIATE v_sql;
Are you making the grant directly or through a role?
I made the grant directly.
Any advice please? :confused:
if you wat help at least provide some code or you think everyone can guess as good as Tom Kyte?