Validating user name and password
DBAsupport.com Forums - Powered by vBulletin
Results 1 to 6 of 6

Thread: Validating user name and password

Hybrid View

  1. #1
    Join Date
    Oct 2001
    Location
    GA, USA
    Posts
    79

    Validating user name and password

    Hi Guys,

    I am trying to validate password using pl/sql procedure i am passing user name and password as a IN parameter and i wan to check that this user name and password is correct OR exist ? i know that i can select from DBA_USERS vies but oracle stores password in encrypted format so, whenever it try to check password it does not match with password in DBA_USERS view although i am passing correct user name and password can any one through some light on it ?


    Thanks
    Circumstances do not rise to meet our expectation. Embrace what you actually get. Open your eyes. See things for what they really are Thereby sparing yourself the pain of false attachements.

  2. #2
    Join Date
    May 2002
    Posts
    2,645
    There are aspects of a password you can check when someone is making or modifying one (length, types of characters, too close to the old one, etc.). Oracle even supplies a rudimentary password checking script in rdbms/admin. However, to do anything with password in dba_users, what is it you think you can validate? MIN1 and MIN2 both have aaaa as passwords, but you wouldn't know that from the encrypted value.

    Code:
    SQL> create user min1 identified by aaaa;
    
    User created.
    
    SQL> create user min2 identified by aaaa;
    
    User created.
    
    SQL> select username, password
      2  from dba_users
      3  where username like 'MIN%';
    
    USERNAME  PASSWORD
    --------- ------------------------------
    MIN1      BD2419DC3285F69D
    MIN2      7E255E3A0ED9B044

  3. #3
    Join Date
    Aug 2002
    Location
    Colorado Springs
    Posts
    5,253
    Read the password column value (like 'BD2419DC3285F69D') into a variable, then (for example) ...

    Alter user min1 identified by aaa;

    Now check the new hashed password frm the dba_users table and compare it with the value you read from the table earlier.

    If they are the same, the password is correct. If they are different, the passwords were different, and you ought to set the password back to the old value using (for example) ...

    Alter user min1 identified by value 'BD2419DC3285F69D'

    Of course if you can't get the ALTER ANY USER privilege, you're probably just trying to hack the account, eh?
    David Aldridge,
    "The Oracle Sponge"

    Senior Manager, Business Intelligence Development
    XM Satellite Radio
    Washington, DC

    Oracle ACE

  4. #4
    Join Date
    Oct 2001
    Location
    GA, USA
    Posts
    79
    Hi slimdave,


    Thanks for your replay but when user enters invalid password then i am again restoring old password value i.e. 'BD2419DC3285F69D'
    from variable but next time when i try to loging as min1 user it does not take original password but it replace with 'BD2419DC3285F69D' value is there any resion why it is not restoring old password. is there any oracle utility i can use for this ?


    Thanks
    Circumstances do not rise to meet our expectation. Embrace what you actually get. Open your eyes. See things for what they really are Thereby sparing yourself the pain of false attachements.

  5. #5
    Join Date
    Aug 2002
    Location
    Colorado Springs
    Posts
    5,253
    Note the syntax difference between ...

    ALTER USER MIN1 IDENTIFIED BY AAA;

    ... and ...

    ALTER USER MIN1 IDENTIFIED BY VALUES 'BD2419DC3285F69D';

    The latter syntax is the undocumented way that Oracle creates users from an import file while guaranteeing that their passwords do not change from the export database. I suspect you might have missed out the VALUES bit.
    David Aldridge,
    "The Oracle Sponge"

    Senior Manager, Business Intelligence Development
    XM Satellite Radio
    Washington, DC

    Oracle ACE

  6. #6
    Join Date
    Oct 2001
    Location
    GA, USA
    Posts
    79
    Hi slimdave,

    You are correct i was missing By Values clause and i was also missing single quotes i was simply using old password value from variable that is why oracle was replacing password with old encrypted password value.

    Thanks for your valuable input


    Minesh
    Circumstances do not rise to meet our expectation. Embrace what you actually get. Open your eyes. See things for what they really are Thereby sparing yourself the pain of false attachements.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width