Database user password
DBAsupport.com Forums - Powered by vBulletin
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 33

Thread: Database user password

Hybrid View

  1. #1
    Join Date
    Jan 2000
    Posts
    387

    Thumbs up Database user password

    Hi

    Is there any ways or tables that I can see the password for the users in the database? Currently the password is being encrypted in the dba_users table...Please advice. Thanks!

  2. #2
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    That's it! Passwords are stored hashed (one-way encryption) and can't be viewed en clair.
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

  3. #3
    Join Date
    Jan 2000
    Posts
    387
    *Ooops! Then if i want to create a page and allow users to update their password after verification through the database, there is no way this can be done??

  4. #4
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    If the hashing algorithm is public (I don't know - anyone out there who does? a v.quick Google didn't find what I wanted) you can hash the value given by the user and compare it with the stored value. Otherwise you will have to create your own authentification system!
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

  5. #5
    Join Date
    Dec 2000
    Location
    Ljubljana, Slovenia
    Posts
    4,439
    Originally posted by mooks
    *Ooops! Then if i want to create a page and allow users to update their password after verification through the database, there is no way this can be done??
    I don't understand this.

    If user is allready connected to the database when changing the password, then what's the point in checking old password? He wouldn't be connected if he didn't know the old pasword. Simply let him only enter new password (twice).

    If on the other hand user is not connected to the database, yet you wan't to allow him to change his database password, why don't you simply try to connect to the database with the old pasword he supplied during old password verification process? If connection succeeds you procerde with changing the password, if not the entered old password was not correct.

    Or what am I missing here?
    Jurij Modic
    ASCII a stupid question, get a stupid ANSI
    24 hours in a day .... 24 beer in a case .... coincidence?

  6. #6
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    Hi Jurij,

    The classic scenario is: the user logs on, goes off for coffee and someone else runs in & changes p/w. The other person can then access the application from elsewhere, until the original user has to log on again (say next morning) when the p/w mess gets sorted. Re-validating the p/w avoids this.
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

  7. #7
    Join Date
    Dec 2000
    Location
    Ljubljana, Slovenia
    Posts
    4,439
    Originally posted by DaPi
    Hi Jurij,

    The classic scenario is: the user logs on, goes off for coffee and someone else runs in & changes p/w. The other person can then access the application from elsewhere, until the original user has to log on again (say next morning) when the p/w mess gets sorted. Re-validating the p/w avoids this.
    Yep, makes sence.
    Jurij Modic
    ASCII a stupid question, get a stupid ANSI
    24 hours in a day .... 24 beer in a case .... coincidence?

  8. #8
    Join Date
    Apr 2003
    Posts
    32
    Yes...u can see the paaswords.

    Use this free tool:

    http://home.earthlink.net/~adamshalo...sword_cracker/

  9. #9
    Join Date
    Jun 2000
    Location
    Madrid, Spain
    Posts
    7,448
    well if you dont know the old password you cannot change the password right DaPi?

    that tool is brute force, itīs like those password crackers for MS Office

  10. #10
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    Originally posted by pando
    well if you dont know the old password you cannot change the password right DaPi?
    That is exactly what mooks is trying to enforce by ensuring that the same person enters both old and new values at the same time.
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width