How to find if user has weak passwords?
DBAsupport.com Forums - Powered by vBulletin
Results 1 to 8 of 8

Thread: How to find if user has weak passwords?

  1. #1
    Join Date
    Apr 2001
    Posts
    110

    How to find if user has weak passwords?

    Hi,

    Does anyone know how to check if any user in the database has weak passwords?

    Cheers
    Oracbase
    What's next after 10g?

  2. #2
    Join Date
    May 2001
    Posts
    736
    what do u mean by weak passwords?.u can't see the user passwords since they are encrypted.Make password policy and implement it.

  3. #3
    Join Date
    Jun 2001
    Location
    Helsinki. Finland
    Posts
    3,938
    Oracle Certified Master
    Oracle Certified Professional 6i,8i,9i,10g,11g
    email: ocp_9i@yahoo.com

  4. #4
    Join Date
    Apr 2001
    Posts
    110
    Hi,

    Although the passwords in Oracle are encrypted, there is always possibilities that a user will choose a simple password like the same as his/her userid.

    Before I enable password policy, I want to check the existing user account that if any uses simple password like for example their database userid.

    Does Oracle enforce password check on existing database accounts?

    Julian,
    Thanks for the link, its an interesting product, but I don't think the company is willing to afford it at the moment.

    I have got a piece of code from Metalink which can do what I wanted.
    But the problem is the script works for 8i & 9i.
    I am not good at PL/SQL. Do not know how to tweak this piece of code to work for Oracle 8 and below.

    If anyone of you have time, please help me look at this code and hopefully make it work for Oracle8 and below.

    It seems like in Oracle 8, "execute immediate.." is not allowed.

    Here is the code:

    create or replace procedure sys.find_joes as
    -- Find users that have their password equal to their username
    hexpw varchar2(30);
    modpw varchar2(30);
    un varchar2(30);
    cursor c1 is select username,password from dba_users
    where length(trim(password)) = 16; -- only consider db authenticated
    begin
    for i in c1 loop
    hexpw := i.password;
    un := i.username;
    execute immediate 'alter user '||un||' identified by '||un;
    select password into modpw from dba_users where username = un;
    if modpw = hexpw then
    dbms_output.put_line(un);
    else
    -- change password back to what it was
    execute immediate
    'alter user '||un||' identified by values '''||hexpw||'''';
    end if;
    end loop;
    end;
    /


    Cheers
    Oracbase
    What's next after 10g?

  5. #5
    Join Date
    Nov 2002
    Location
    Geneva Switzerland
    Posts
    3,142
    Before EXECUTE IMMEDIATE there was DBMS_SQL:
    http://download-west.oracle.com/docs...sql.htm#998100

  6. #6
    Join Date
    Jun 2000
    Location
    Madrid, Spain
    Posts
    7,447
    password is hashed not encrypted

    you need to use password function to enforce password simplicity check

  7. #7
    Join Date
    Jun 2001
    Location
    Dublin, Ireland
    Posts
    66
    Have a look at this link. Some good docs re database security.

    http://www.pentest.co.uk/cgi-bin/vie...at=whitepapers

  8. #8
    Join Date
    Apr 2001
    Posts
    110
    Hi All,

    Thanks for all your great input.

    I have got the metalink script working for Oracle version 8 & 7 using DBMS_SQL as mentioned by DaPi.

    Appreciate all your help.

    Cheers
    Oracbase
    What's next after 10g?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width