How to find if user has weak passwords?

**oracbase** · 09-05-2004, 11:19 PM

Hi,

Does anyone know how to check if any user in the database has weak passwords?

Cheers
Oracbase

**akhadar** · 09-06-2004, 02:09 AM

what do u mean by weak passwords?.u can't see the user passwords since they are encrypted.Make password policy and implement it.

**julian** · 09-06-2004, 03:01 AM

squirrel:

http://www.nextgenss.com/squirrelora.htm

**oracbase** · 09-06-2004, 04:34 AM

Hi,

Although the passwords in Oracle are encrypted, there is always possibilities that a user will choose a simple password like the same as his/her userid.

Before I enable password policy, I want to check the existing user account that if any uses simple password like for example their database userid.

Does Oracle enforce password check on existing database accounts?

Julian,
Thanks for the link, its an interesting product, but I don't think the company is willing to afford it at the moment.

I have got a piece of code from Metalink which can do what I wanted.
But the problem is the script works for 8i & 9i.
I am not good at PL/SQL. Do not know how to tweak this piece of code to work for Oracle 8 and below.

If anyone of you have time, please help me look at this code and hopefully make it work for Oracle8 and below.

It seems like in Oracle 8, "execute immediate.." is not allowed.

Here is the code:

create or replace procedure sys.find_joes as
-- Find users that have their password equal to their username
hexpw varchar2(30);
modpw varchar2(30);
un varchar2(30);
cursor c1 is select username,password from dba_users
where length(trim(password)) = 16; -- only consider db authenticated
begin
for i in c1 loop
hexpw := i.password;
un := i.username;
execute immediate 'alter user '||un||' identified by '||un;
select password into modpw from dba_users where username = un;
if modpw = hexpw then
dbms_output.put_line(un);
else
-- change password back to what it was
execute immediate
'alter user '||un||' identified by values '''||hexpw||'''';
end if;
end loop;
end;
/

Cheers
Oracbase

**DaPi** · 09-06-2004, 04:50 AM

Before EXECUTE IMMEDIATE there was DBMS_SQL:
http://download-west.oracle.com/docs...sql.htm#998100

**pando** · 09-06-2004, 05:26 AM

password is hashed not encrypted

you need to use password function to enforce password simplicity check

**bgill** · 09-06-2004, 07:48 AM

Have a look at this link. Some good docs re database security.

http://www.pentest.co.uk/cgi-bin/vie...at=whitepapers

**oracbase** · 09-07-2004, 01:49 AM

Hi All,

Thanks for all your great input.

I have got the metalink script working for Oracle version 8 & 7 using DBMS_SQL as mentioned by DaPi.

Appreciate all your help.

Cheers
Oracbase

Thread: How to find if user has weak passwords?

Thread Tools

Display

How to find if user has weak passwords?

Posting Permissions