+ Reply to Thread
Results 1 to 9 of 9
  1. 02-26-2003 04:55 AM #1
    ckwan
    ckwan is offline Senior Member
    Join Date
    Oct 2000
    Posts
    250

    Decrypt password

    Hi everyone,
    I have a situation where I want to get back my users'password where the user might forget the password and the application want to sent to the particular user for the lost password. And also this is transparent to the system admin user.

    Any ideas on this ?

    Thanks
    Reply With Quote Reply With Quote
  2. 02-26-2003 05:01 AM #2
    SANJAY_G's Avatar
    SANJAY_G
    SANJAY_G is offline Senior Advisor
    Join Date
    Feb 2000
    Location
    Singapore
    Posts
    1,758
    AFAIK you cannot decrypt the password stored in data dictionary.
    Sanjay G.
    Oracle Certified Professional 8i, 9i.

    "The degree of normality in a database is inversely proportional to that of its DBA"
    Reply With Quote Reply With Quote
  3. 02-26-2003 05:18 AM #3
    adewri's Avatar
    adewri
    adewri is offline Oracle Monk
    Join Date
    Nov 2002
    Location
    New Delhi, INDIA
    Posts
    1,796

    Re: Decrypt password

    Originally posted by ckwan
    Hi everyone,
    I have a situation where I want to get back my users'password where the user might forget the password and the application want to sent to the particular user for the lost password. And also this is transparent to the system admin user.

    Any ideas on this ?

    Thanks
    Well if that was possible, then there goes the security...

    no you cannot decrypt the password, what you can do is save the encrypted password some where and then reuse it to reset the password to initial password in case the user losses his or her password.

    Code:
    SQL> select username,password from dba_users where username ='HR';

USERNAME                       PASSWORD
------------------------------ ------------------------------
HR                             E3FDF7CE80ED18FE

SQL> conn hr/manager;
Connected.
--initial password was manager
SQL> conn sys as sysdba
Enter password:
Connected.
SQL> alter user hr identified by hr;

User altered.
--changed the password
SQL> conn hr/manager;
ERROR:
ORA-01017: invalid username/password; logon denied


Warning: You are no longer connected to ORACLE.
SQL> conn sys as sysdba
Enter password:
Connected.
SQL> alter user hr identified by values 'E3FDF7CE80ED18FE';

User altered.
--resets the password to manager
SQL> conn hr/manager;
Connected.
SQL>
    This method is good in case you don't know a user password and you want to make changes in his/her schema without letting her know

    Just change it, make changes, reset it

    Little bit off the main topic. But you can find a way to use it.

    HTH
    Amar
    "There is a difference between knowing the path and walking the path."

    Amar's Blog  Get Firefox!
    Reply With Quote Reply With Quote
  4. 02-26-2003 06:49 AM #4
    jmodic
    jmodic is offline Super Moderator
    Join Date
    Dec 2000
    Location
    Ljubljana, Slovenia
    Posts
    4,439
    You can not decrypt the password because it is not stored encrypted in the database dictionary!

    The gibberish values that can be seen in DBA_USERS.PASSWORD column are not encripted passwords, they are hash values of passwords + corresponding usernames. So they are obteined by implementing some hashing alghorytm, not some encription alghorytm.

    There is a huge difference between encryption and hashing. Encrypton is a reversible proces, while hashing is not. What that means? With encryption, you can allways get the original value from the encrypted value, provided that you have propper encryption key and an alghorytm. But with hashing process it is different. You can (generally speaking) never get the original value from the hashed value, even if you know the hashing algorythm. It is mathematicaly one-way process.

    Oracle stores only hashed values of the passwords, so noone (including everyone in Oracle Corp.) can ever "guess" what the real password is, even if he got access to thos hashed passwords. The only way to get real password from its hash value is by use of brute force.
    Jurij Modic
    ASCII a stupid question, get a stupid ANSI
    24 hours in a day .... 24 beer in a case .... coincidence?
    Reply With Quote Reply With Quote
  5. 02-26-2003 07:02 AM #5
    adewri's Avatar
    adewri
    adewri is offline Oracle Monk
    Join Date
    Nov 2002
    Location
    New Delhi, INDIA
    Posts
    1,796
    hashed not encrypted thats news...

    so i get to learn another new thing from the great one
    Amar
    "There is a difference between knowing the path and walking the path."

    Amar's Blog  Get Firefox!
    Reply With Quote Reply With Quote
  6. 02-26-2003 07:13 AM #6
    abhaysk's Avatar
    abhaysk
    abhaysk is offline Krishna
    Join Date
    Dec 2002
    Location
    Bangalore ( India )
    Posts
    2,434
    U have one method.....to get the password at the time of change....& can be stored in a table........

    U Need to change the PSWD once....may u assign the same PSWD at the time of change....

    Code:
    create table user_pass(username varchar2(30), new_pass varchar2(30), old_pass varchar2(30), date_log date);

create or replace function fonc_pass
(username varchar2,
password varchar2,
old_password varchar2)
return boolean is 
n boolean;
m integer;
differ integer;
isdigit boolean;
ischar boolean;
ispunct boolean;
digitarray varchar2(20);
punctarray varchar2(25);
chararray varchar2(52);

begin 
insert into user_pass values(username,password,old_password,sysdate);
return(true);
end;
/

create user steeve identified by qwerty;

grant create session to steeve;

create profile test_pass limit
password_verify_function fonc_pass;

alter user steeve profile test_pass;

alter user steeve password expire;

-- ***************************************************************

SQL> show user;
USER is "SYS"
SQL> create table user_pass(username varchar2(30), new_pass varchar2(30), old_pass varchar2(30), date_log date);

Table created.

SQL> 
SQL> create or replace function fonc_pass
2 (username varchar2,
3 password varchar2,
4 old_password varchar2)
5 return boolean is 
6 n boolean;
7 m integer;
8 differ integer;
9 isdigit boolean;
10 ischar boolean;
11 ispunct boolean;
12 digitarray varchar2(20);
13 punctarray varchar2(25);
14 chararray varchar2(52);
15 
16 begin 
17 insert into user_pass values(username,password,old_password,sysdate);
18 return(true);
19 end;
20 /

Function created.

SQL> 
SQL> create user steeve identified by qwerty;

User created.

SQL> 
SQL> grant create session to steeve;

Grant succeeded.

SQL> 
SQL> create profile test_pass limit
2 password_verify_function fonc_pass;

Profile created.

SQL> 
SQL> alter user steeve profile test_pass;

User altered.

SQL> 
SQL> alter user steeve password expire;

User altered.

SQL> connect steeve/qwerty
ERROR:
ORA-28001: the password has expired


Changing password for steeve
New password: *******
Retype new password: *******
Password changed
Connected.
SQL> connect sys/YOURSYSPASSWORD
Connected.
SQL> select * from user_pass;

USERNAME NEW_PASS OLD_PASS DATE_LOG
------------------------------ ------------------------------ ------------------------------ ---------
STEEVE qwerty2 qwerty 04-SEP-02

1 row selected.

SQL>

    U Need to change the PSWD once....may u assign the same PSWD at the time of change....

    Here in above example it wud be "qwerty"

    & o/p wud be old and new pswd same.


    Regards
    Abhay.
    funky...

    "I Dont Want To Follow A Path, I would Rather Go Where There Is No Path And Leave A Trail."

    "Ego is the worst thing many have, try to overcome it & you will be the best, if not good, person on this earth"
    Reply With Quote Reply With Quote
  7. 02-26-2003 11:42 AM #7
    Shestakov
    Shestakov is offline Senior Advisor
    Join Date
    Sep 2001
    Location
    NJ, USA
    Posts
    1,287
    Originally posted by adewri
    hashed not encrypted thats news...
    In oracle (and in unix too):

    hash_pwd = TO_HASH(pwd, username)
    and not exists (as a mathematic method in nature):
    pwd = TO_PWD(hash_pwd, username)

    but encription/description has reverse mathematic methods
    if u can:
    encr_pwd = TO_ENCR(pwd, username)
    then must be exists (as a mathematic method):
    pwd = TO_DESCR(encr_pwd, username)

    NOTE: TO_HASH, TO_PWD, TO_ENCR, TO_DESCR are not real functions
    only as example.
    Reply With Quote Reply With Quote
  8. 02-28-2003 05:40 AM #8
    DaPi's Avatar
    DaPi
    DaPi is offline Old Cranky Philosopher
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    Originally posted by jmodic
    The only way to get real password from its hash value is by use of brute force.
    You mean Mr.Hanky with a shot-gun?
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman
    Reply With Quote Reply With Quote
  9. 02-28-2003 07:21 AM #9
    jmodic
    jmodic is offline Super Moderator
    Join Date
    Dec 2000
    Location
    Ljubljana, Slovenia
    Posts
    4,439
    Originally posted by DaPi
    You mean Mr.Hanky with a shot-gun?
    Yep, that would be one of the variants of using brute force to crack the password. Certanly the most efficient and the cheapest variant...
    Jurij Modic
    ASCII a stupid question, get a stupid ANSI
    24 hours in a day .... 24 beer in a case .... coincidence?
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules

 Click Here to Expand Forum to Full Width