DBAsupport.com Forums - Powered by vBulletin
Results 1 to 9 of 9

Thread: Decrypt password

  1. #1
    Join Date
    Oct 2000
    Posts
    250

    Decrypt password

    Hi everyone,
    I have a situation where I want to get back my users'password where the user might forget the password and the application want to sent to the particular user for the lost password. And also this is transparent to the system admin user.

    Any ideas on this ?

    Thanks

  2. #2
    Join Date
    Feb 2000
    Location
    Singapore
    Posts
    1,758
    AFAIK you cannot decrypt the password stored in data dictionary.
    Sanjay G.
    Oracle Certified Professional 8i, 9i.

    "The degree of normality in a database is inversely proportional to that of its DBA"

  3. #3
    Join Date
    Nov 2002
    Location
    New Delhi, INDIA
    Posts
    1,796

    Re: Decrypt password

    Originally posted by ckwan
    Hi everyone,
    I have a situation where I want to get back my users'password where the user might forget the password and the application want to sent to the particular user for the lost password. And also this is transparent to the system admin user.

    Any ideas on this ?

    Thanks
    Well if that was possible, then there goes the security...

    no you cannot decrypt the password, what you can do is save the encrypted password some where and then reuse it to reset the password to initial password in case the user losses his or her password.

    Code:
    SQL> select username,password from dba_users where username ='HR';
    
    USERNAME                       PASSWORD
    ------------------------------ ------------------------------
    HR                             E3FDF7CE80ED18FE
    
    SQL> conn hr/manager;
    Connected.
    --initial password was manager
    SQL> conn sys as sysdba
    Enter password:
    Connected.
    SQL> alter user hr identified by hr;
    
    User altered.
    --changed the password
    SQL> conn hr/manager;
    ERROR:
    ORA-01017: invalid username/password; logon denied
    
    
    Warning: You are no longer connected to ORACLE.
    SQL> conn sys as sysdba
    Enter password:
    Connected.
    SQL> alter user hr identified by values 'E3FDF7CE80ED18FE';
    
    User altered.
    --resets the password to manager
    SQL> conn hr/manager;
    Connected.
    SQL>
    This method is good in case you don't know a user password and you want to make changes in his/her schema without letting her know

    Just change it, make changes, reset it

    Little bit off the main topic. But you can find a way to use it.

    HTH
    Amar
    "There is a difference between knowing the path and walking the path."

    Amar's Blog  Get Firefox!

  4. #4
    Join Date
    Dec 2000
    Location
    Ljubljana, Slovenia
    Posts
    4,439
    You can not decrypt the password because it is not stored encrypted in the database dictionary!

    The gibberish values that can be seen in DBA_USERS.PASSWORD column are not encripted passwords, they are hash values of passwords + corresponding usernames. So they are obteined by implementing some hashing alghorytm, not some encription alghorytm.

    There is a huge difference between encryption and hashing. Encrypton is a reversible proces, while hashing is not. What that means? With encryption, you can allways get the original value from the encrypted value, provided that you have propper encryption key and an alghorytm. But with hashing process it is different. You can (generally speaking) never get the original value from the hashed value, even if you know the hashing algorythm. It is mathematicaly one-way process.

    Oracle stores only hashed values of the passwords, so noone (including everyone in Oracle Corp.) can ever "guess" what the real password is, even if he got access to thos hashed passwords. The only way to get real password from its hash value is by use of brute force.
    Jurij Modic
    ASCII a stupid question, get a stupid ANSI
    24 hours in a day .... 24 beer in a case .... coincidence?

  5. #5
    Join Date
    Nov 2002
    Location
    New Delhi, INDIA
    Posts
    1,796
    hashed not encrypted thats news...

    so i get to learn another new thing from the great one
    Amar
    "There is a difference between knowing the path and walking the path."

    Amar's Blog  Get Firefox!

  6. #6
    Join Date
    Dec 2002
    Location
    Bangalore ( India )
    Posts
    2,434
    U have one method.....to get the password at the time of change....& can be stored in a table........

    U Need to change the PSWD once....may u assign the same PSWD at the time of change....

    Code:
    create table user_pass(username varchar2(30), new_pass varchar2(30), old_pass varchar2(30), date_log date);
    
    create or replace function fonc_pass
    (username varchar2,
    password varchar2,
    old_password varchar2)
    return boolean is 
    n boolean;
    m integer;
    differ integer;
    isdigit boolean;
    ischar boolean;
    ispunct boolean;
    digitarray varchar2(20);
    punctarray varchar2(25);
    chararray varchar2(52);
    
    begin 
    insert into user_pass values(username,password,old_password,sysdate);
    return(true);
    end;
    /
    
    create user steeve identified by qwerty;
    
    grant create session to steeve;
    
    create profile test_pass limit
    password_verify_function fonc_pass;
    
    alter user steeve profile test_pass;
    
    alter user steeve password expire;
    
    -- ***************************************************************
    
    SQL> show user;
    USER is "SYS"
    SQL> create table user_pass(username varchar2(30), new_pass varchar2(30), old_pass varchar2(30), date_log date);
    
    Table created.
    
    SQL> 
    SQL> create or replace function fonc_pass
    2 (username varchar2,
    3 password varchar2,
    4 old_password varchar2)
    5 return boolean is 
    6 n boolean;
    7 m integer;
    8 differ integer;
    9 isdigit boolean;
    10 ischar boolean;
    11 ispunct boolean;
    12 digitarray varchar2(20);
    13 punctarray varchar2(25);
    14 chararray varchar2(52);
    15 
    16 begin 
    17 insert into user_pass values(username,password,old_password,sysdate);
    18 return(true);
    19 end;
    20 /
    
    Function created.
    
    SQL> 
    SQL> create user steeve identified by qwerty;
    
    User created.
    
    SQL> 
    SQL> grant create session to steeve;
    
    Grant succeeded.
    
    SQL> 
    SQL> create profile test_pass limit
    2 password_verify_function fonc_pass;
    
    Profile created.
    
    SQL> 
    SQL> alter user steeve profile test_pass;
    
    User altered.
    
    SQL> 
    SQL> alter user steeve password expire;
    
    User altered.
    
    SQL> connect steeve/qwerty
    ERROR:
    ORA-28001: the password has expired
    
    
    Changing password for steeve
    New password: *******
    Retype new password: *******
    Password changed
    Connected.
    SQL> connect sys/YOURSYSPASSWORD
    Connected.
    SQL> select * from user_pass;
    
    USERNAME NEW_PASS OLD_PASS DATE_LOG
    ------------------------------ ------------------------------ ------------------------------ ---------
    STEEVE qwerty2 qwerty 04-SEP-02
    
    1 row selected.
    
    SQL>

    U Need to change the PSWD once....may u assign the same PSWD at the time of change....

    Here in above example it wud be "qwerty"

    & o/p wud be old and new pswd same.


    Regards
    Abhay.
    funky...

    "I Dont Want To Follow A Path, I would Rather Go Where There Is No Path And Leave A Trail."

    "Ego is the worst thing many have, try to overcome it & you will be the best, if not good, person on this earth"

  7. #7
    Join Date
    Sep 2001
    Location
    NJ, USA
    Posts
    1,287
    Originally posted by adewri
    hashed not encrypted thats news...
    In oracle (and in unix too):

    hash_pwd = TO_HASH(pwd, username)
    and not exists (as a mathematic method in nature):
    pwd = TO_PWD(hash_pwd, username)

    but encription/description has reverse mathematic methods
    if u can:
    encr_pwd = TO_ENCR(pwd, username)
    then must be exists (as a mathematic method):
    pwd = TO_DESCR(encr_pwd, username)

    NOTE: TO_HASH, TO_PWD, TO_ENCR, TO_DESCR are not real functions
    only as example.

  8. #8
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    Originally posted by jmodic
    The only way to get real password from its hash value is by use of brute force.
    You mean Mr.Hanky with a shot-gun?
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

  9. #9
    Join Date
    Dec 2000
    Location
    Ljubljana, Slovenia
    Posts
    4,439
    Originally posted by DaPi
    You mean Mr.Hanky with a shot-gun?
    Yep, that would be one of the variants of using brute force to crack the password. Certanly the most efficient and the cheapest variant...
    Jurij Modic
    ASCII a stupid question, get a stupid ANSI
    24 hours in a day .... 24 beer in a case .... coincidence?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width