What encryption algorithm is used to store passwords in the database
What encryption algorithm is used to store passwords in the database? Also, in the application server, what algorithm is used to store passwords in OID? Is it DES, Triple DES, SHA-1, etc?
...and there is when the concept of proprietary algorithm makes itself evident
Nevertheless you are gonna love to take a look at http://www.red-database-security.com...passwords.html
Last edited by PAVB; 08-31-2007 at 09:43 AM.
Pablo (Paul) Berzukov
Author of Understanding Database Administration
available at amazon and other bookstores.
Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.
they arent encrypted, they are hashed - big difference
Ok. What hashing algorithm is used in 10g database to store passwords in DBA_USERs data dictionary?
The one-way algorithm used to calculate password hashes is not openly documented by
Oracle, but references on-line and in printed materials provide sufficient information to
reproduce the algorithm.
A 1993 post on the comp.databases.oracle newsgroup describes the algorithm in detail,
identifying an unknown fixed key as an input parameter . This key value was later
published in the book "Special Ops", providing sufficient information to reproduce the
algorithm . The algorithm can be described as follows:
1. Concatenate the username and the password to produce a plaintext string;
2. Convert the plaintext string to uppercase characters;
3. Convert the plaintext string to multi-byte storage format; ASCII characters have the
high byte set to 0x00;
4. Encrypt the plaintext string (padded with 0s if necessary to the next even block length)
using the DES algorithm in cipher block chaining (CBC) mode with a fixed key value of
5. Encrypt the plaintext string again with DES-CBC, but using the last block of the output
of the previous step (ignoring parity bits) as the encryption key. The last block of the
output is converted into a printable string to produce the password hash value.
Ok. It seemed then the algorithm is DES.
I wonder why something straightforward like MD5 or a SHA version wasn't used?
Click Here to Expand Forum to Full Width