DBAsupport.com Forums - Powered by vBulletin
Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 33

Thread: Database user password

  1. #11
    Join Date
    Dec 2000
    Location
    Ljubljana, Slovenia
    Posts
    4,439
    Originally posted by freedba
    Yes...u can see the paaswords.

    Use this free tool:

    http://home.earthlink.net/~adamshalo...sword_cracker/
    That's baloney. That password cracker is only a toy (quite a harmless one, I would add). It's attack is based on utilizing "brute force" - it tries all possible passwords from the supplied dictionary, hashes them using the Oracle's hash alghorytm and see if they match to the real hashed password. Now I can assure you that by using this toy you will not be able to see plain passwords on any system with decent pasword security standards enforced.
    Jurij Modic
    ASCII a stupid question, get a stupid ANSI
    24 hours in a day .... 24 beer in a case .... coincidence?

  2. #12
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    Originally posted by jmodic
    hashes them using the Oracle's hash alghorytm
    NOW THIS IS WHAT WE WANT. Jurij, do you know any refs to the algorithm? With that mooks can build p/w checking into his application.
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

  3. #13
    Join Date
    Jun 2000
    Location
    Madrid, Spain
    Posts
    7,447
    No, I think he wants to know user´s password so he can reset them and not because he wants to know the old password in order to change to a new one. Well at least in many places I have seen is if some user forgets his password what it normally does is ask the corresponding department to reset to a satndard password and not to his old password.


    Also we dont know what tool is he talking about so I am not sure, but talking from command line tools like sqlplus it asks you the old password before change to a new one, my point was if a guy does not know the old password how can he change someone else password?

  4. #14
    Join Date
    Jun 2000
    Location
    Madrid, Spain
    Posts
    7,447
    Hmm even you know the algorithm what can you do with a hashed value...? It´s one way as you said it, no way to unhash

  5. #15
    Join Date
    Dec 2000
    Location
    Ljubljana, Slovenia
    Posts
    4,439
    Originally posted by DaPi
    Jurij, do you know any refs to the algorithm?
    No, but I guess it can't be any top secret. After all, you can buy full version of that password cracker for 4 dollars, and with that you get its source code. So the algorithm is available for as cheap as 4.00$
    Jurij Modic
    ASCII a stupid question, get a stupid ANSI
    24 hours in a day .... 24 beer in a case .... coincidence?

  6. #16
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    Reply to pando:

    1) user enters old p/w and new p/w (twice)
    2) application hashes old p/w and compares with stored value in db
    3) if (2) is OK, application executes an ALTER USER

    In almost all security environments I've been in, p/w change is forced after n days and the user also has the option to change p/w more frequently (which is what mooks is trying to do). Windows can do this, AS/400, etc
    Last edited by DaPi; 05-07-2003 at 07:26 AM.
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

  7. #17
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    . . . and todays trivia:
    The word algorithm, besides being impossible to spell, is a corruption of Al-Khowarizmi, the name of a 9th century mathemetician http://www.aug.edu/dvskel/MichSP93.htm
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

  8. #18
    Join Date
    Jun 2000
    Location
    Madrid, Spain
    Posts
    7,447
    We are talking same thing except what mooks tries to do, I dont see the point the need of knowing the old password from administrators view. If password expires after 30 days, applications prompts user to change their password, if they dont rememebr they call us, we do alter user identified by standard password, phone him back and that´s it? Or not?

  9. #19
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    My security view-point is determined by what auditors inflict upon me (in three very different business areas now).

    a) The norm is that the user should manage his/her own password and be fully accountable for what is done using that userid/password combination. This requires the option to change it at will, e.g. if the end-user thinks it might have been compromised.

    b) If, due to a forgotten password, the admin has to "alter user identified by standard password" then the end-user should be forced (or at least encouraged) to change it immediately. Otherwise the admin can impersonate the end user - as would be recorded in an application audit trail. (Obviously the admin doesn't need the old p/w.)

    mooks doesn't say so, but I suspect his end-users are a long way away from a SQL> prompt and he wants to build a user-friendly way to allow the end-user to deal with the above two points.
    "The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman

  10. #20
    Join Date
    Jun 2000
    Location
    Madrid, Spain
    Posts
    7,447
    I dont understand the first point. I mean the security I have seen so far has always been like that, user change their password at their will, but obviously they need to know their old password, if they dont know their only chance is ask the admin to reset their password to a standard password.

    The other thing is, the point you mentioned to jmodic, if a X user doesnt know my password how can he change my password while I was in coffe or whatever? If he wants to change my password he must know my old password.

    I still see what his intentions, he wants to know user´s password. For what? I dont know. Probably he doesnt want to use standard password, rather he wants to reset to user´s old password. The other day I phoned my ISP because I ad problems with my password (they kep on resetting to a new password and to the old one at their will)
    The problem came when they told me in the phone:

    "Ok sir, wait a sec I will check you password and see if I can login"

    That was it! I thought, what the heck, a technical support knows my personal mail password??? Ok, so they store the plain password in a table then. That really made me feel unsecure! So my point is noone should know user´s old password! If user cant remeber it? Then the administrators will simply reset it to a standard password or to aother what the user asks.


    The second you can do that with

    alter user XXX identified by standard_pwd password expire;

    when user enters it says

    Code:
    lsc@LNX920-RAC1>alter user hr identified by std password expire;
    
    User altered.
    
    hr@LNX920>@conn hr
    Enter password: std
    ERROR:
    ORA-28001: the password has expired
    
    Changing password for hr
    New password:

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width