-
That's baloney. That password cracker is only a toy (quite a harmless one, I would add). It's attack is based on utilizing "brute force" - it tries all possible passwords from the supplied dictionary, hashes them using the Oracle's hash alghorytm and see if they match to the real hashed password. Now I can assure you that by using this toy you will not be able to see plain passwords on any system with decent pasword security standards enforced.
Jurij Modic
ASCII a stupid question, get a stupid ANSI
24 hours in a day .... 24 beer in a case .... coincidence?
-
Originally posted by jmodic
hashes them using the Oracle's hash alghorytm
NOW THIS IS WHAT WE WANT. Jurij, do you know any refs to the algorithm? With that mooks can build p/w checking into his application.
"The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman
-
No, I think he wants to know user´s password so he can reset them and not because he wants to know the old password in order to change to a new one. Well at least in many places I have seen is if some user forgets his password what it normally does is ask the corresponding department to reset to a satndard password and not to his old password.
Also we dont know what tool is he talking about so I am not sure, but talking from command line tools like sqlplus it asks you the old password before change to a new one, my point was if a guy does not know the old password how can he change someone else password?
-
Hmm even you know the algorithm what can you do with a hashed value...? It´s one way as you said it, no way to unhash
-
Originally posted by DaPi
Jurij, do you know any refs to the algorithm?
No, but I guess it can't be any top secret. After all, you can buy full version of that password cracker for 4 dollars, and with that you get its source code. So the algorithm is available for as cheap as 4.00$
Jurij Modic
ASCII a stupid question, get a stupid ANSI
24 hours in a day .... 24 beer in a case .... coincidence?
-
Reply to pando:
1) user enters old p/w and new p/w (twice)
2) application hashes old p/w and compares with stored value in db
3) if (2) is OK, application executes an ALTER USER
In almost all security environments I've been in, p/w change is forced after n days and the user also has the option to change p/w more frequently (which is what mooks is trying to do). Windows can do this, AS/400, etc
Last edited by DaPi; 05-07-2003 at 07:26 AM.
"The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman
-
. . . and todays trivia:
The word algorithm, besides being impossible to spell, is a corruption of Al-Khowarizmi, the name of a 9th century mathemetician http://www.aug.edu/dvskel/MichSP93.htm
"The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman
-
We are talking same thing except what mooks tries to do, I dont see the point the need of knowing the old password from administrators view. If password expires after 30 days, applications prompts user to change their password, if they dont rememebr they call us, we do alter user identified by standard password, phone him back and that´s it? Or not?
-
My security view-point is determined by what auditors inflict upon me (in three very different business areas now).
a) The norm is that the user should manage his/her own password and be fully accountable for what is done using that userid/password combination. This requires the option to change it at will, e.g. if the end-user thinks it might have been compromised.
b) If, due to a forgotten password, the admin has to "alter user identified by standard password" then the end-user should be forced (or at least encouraged) to change it immediately. Otherwise the admin can impersonate the end user - as would be recorded in an application audit trail. (Obviously the admin doesn't need the old p/w.)
mooks doesn't say so, but I suspect his end-users are a long way away from a SQL> prompt and he wants to build a user-friendly way to allow the end-user to deal with the above two points.
"The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman
-
I dont understand the first point. I mean the security I have seen so far has always been like that, user change their password at their will, but obviously they need to know their old password, if they dont know their only chance is ask the admin to reset their password to a standard password.
The other thing is, the point you mentioned to jmodic, if a X user doesnt know my password how can he change my password while I was in coffe or whatever? If he wants to change my password he must know my old password.
I still see what his intentions, he wants to know user´s password. For what? I dont know. Probably he doesnt want to use standard password, rather he wants to reset to user´s old password. The other day I phoned my ISP because I ad problems with my password (they kep on resetting to a new password and to the old one at their will)
The problem came when they told me in the phone:
"Ok sir, wait a sec I will check you password and see if I can login"
That was it! I thought, what the heck, a technical support knows my personal mail password??? Ok, so they store the plain password in a table then. That really made me feel unsecure! So my point is noone should know user´s old password! If user cant remeber it? Then the administrators will simply reset it to a standard password or to aother what the user asks.
The second you can do that with
alter user XXX identified by standard_pwd password expire;
when user enters it says
Code:
lsc@LNX920-RAC1>alter user hr identified by std password expire;
User altered.
hr@LNX920>@conn hr
Enter password: std
ERROR:
ORA-28001: the password has expired
Changing password for hr
New password:
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|