-
<question>application user pw
Hi, just want know if it is possible to find the location of the user password. For example I have user, SCOTT, I want to know where the password reside in database. Anyone? Thanks
-
Up until and including 10g Oracle stored the hash of the user's password in the dba_users table.
Starting in 11g it moved to the user$ table. Oracle stores a password as a has with the intent
the it is a one way has. When someone logs in Oracle generates a hash of the password that they
use and compare that hash to the stored hash to see if they are the same. If they are then it
must be the same password.
Depending on the complexity of the password it is possible to brute force the password using
a script like the one that Pete Finnigan wrote. However, if the password is complex it could take
a while to find the password.
https://www.google.com/url?sa=t&rct=...84349003,d.cWc
Given that you can lock Oracle accounts based on too many failures it can be very hard to hack into
and Oracle database without having the hash for the password in question. Also because Oracle uses
salt in its password you need to know what the hash is and what account the has belongs to.
Of course if you have DBA privileges to a database, you don't need to know a password to change it.
-
Thanks Gandolf989..
Yes, we can alter the user password, but I want to verify if it possible for some users to know the new password without sharing it to them. It is for a generic account for some of our databases.
Is it possible to add security for the tables/directory where the passwords save?
-
You should probably mention the version of Oracle and the operating system and operating system version to get anything definitive.
However, if you had O7_DICTIONARY_ACCESSIBILITY=TRUE you would make it very easy for anyone who can connect to your database
to brute force decrypt any username and password. So make sure that it is set to O7_DICTIONARY_ACCESSIBILITY=FALSE.
You should make sure that everyone has a different username to log into the database if possible and make sure that you aren't
using known default passwords like system/manager. Here is a site that will give you a list of default passwords and scripts to verify
that you aren't using any default passwords:
http://www.petefinnigan.com/default/...sword_list.htm
You should also make sure that you use a password function. Here is one example:
Code:
CREATE OR REPLACE FUNCTION SYS.verify_function
(username varchar2,
password varchar2,
old_password varchar2)
RETURN boolean IS
n boolean;
m integer;
differ integer;
bOK boolean;
BEGIN
-- Check if the password is contained as the username
IF instr(nls_lower(password), nls_lower(username)) > 0 then
raise_application_error(-20001, 'Username is contained in password or is to similar to username');
END IF;
-- Check for the minimum and max length of the password
IF length(password) < 8 THEN
raise_application_error(-20002, 'Password cannot be less than 8 in length');
END IF;
-- Check if the password is too simple. A dictionary of words may be
-- maintained and a check may be made so as not to allow the words
-- that are too simple for the password.
IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THEN
raise_application_error(-20003, 'Password too simple');
END IF;
-- Checks if there is a Lower alpha character somewhere in the string
-- and there is a an Upper alpha character somewhere in the string
-- and there is a numeric character somewhere in the string
-- and there is a character that is neither alpha nor numeric
-- somewhere in the string (that is, a special character)
-- then it is a password value that adheres to security policy
-- else it is NOT a password value that adheres to security policy.
IF regexp_like(password,'^.*[a-z].*$')
and regexp_like(password,'^.*[A-Z].*$')
and regexp_like(password,'^.*[0-9].*$')
and regexp_like(password,'^.*[^A-Z,a-z,0-9].*$')
THEN
bOK:=true;
ELSE
raise_application_error(-20004, 'Password value must include a mix of letters, upper and lower, numbers, and a special characters');
END IF;
-- Test that password value can have no more than 2 repeating values
IF regexp_like(password, '^.*([A-Z,a-z])\1\1.*$')
or regexp_like(password, '^.*([0-9])\1\1.*$')
or regexp_like(password, '^.*([^A-Z,a-z,0-9])\1\1.*$')
THEN
raise_application_error(-20005, 'Password value can have no more than 2 repeating values');
ELSE
bOK:=true;
END IF;
-- Everything is fine; return TRUE ;
RETURN(TRUE);
END;
/
ALTER PROFILE default
LIMIT PASSWORD_VERIFY_FUNCTION verify_function
PASSWORD_LIFE_TIME UNLIMITED
PASSWORD_GRACE_TIME UNLIMITED
PASSWORD_REUSE_TIME UNLIMITED
PASSWORD_REUSE_MAX 9999
FAILED_LOGIN_ATTEMPTS 10
PASSWORD_LOCK_TIME UNLIMITED
/
-
Thank you
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|