DBAsupport.com Forums - Powered by vBulletin
Results 1 to 5 of 5

Thread: <question>application user pw

  1. #1
    Join Date
    Jan 2015
    Posts
    9

    <question>application user pw

    Hi, just want know if it is possible to find the location of the user password. For example I have user, SCOTT, I want to know where the password reside in database. Anyone? Thanks

  2. #2
    Join Date
    Nov 2000
    Location
    Pittsburgh, PA
    Posts
    4,166
    Up until and including 10g Oracle stored the hash of the user's password in the dba_users table.
    Starting in 11g it moved to the user$ table. Oracle stores a password as a has with the intent
    the it is a one way has. When someone logs in Oracle generates a hash of the password that they
    use and compare that hash to the stored hash to see if they are the same. If they are then it
    must be the same password.

    Depending on the complexity of the password it is possible to brute force the password using
    a script like the one that Pete Finnigan wrote. However, if the password is complex it could take
    a while to find the password.

    https://www.google.com/url?sa=t&rct=...84349003,d.cWc

    Given that you can lock Oracle accounts based on too many failures it can be very hard to hack into
    and Oracle database without having the hash for the password in question. Also because Oracle uses
    salt in its password you need to know what the hash is and what account the has belongs to.

    Of course if you have DBA privileges to a database, you don't need to know a password to change it.

  3. #3
    Join Date
    Jan 2015
    Posts
    9
    Thanks Gandolf989..

    Yes, we can alter the user password, but I want to verify if it possible for some users to know the new password without sharing it to them. It is for a generic account for some of our databases.


    Is it possible to add security for the tables/directory where the passwords save?

  4. #4
    Join Date
    Nov 2000
    Location
    Pittsburgh, PA
    Posts
    4,166
    You should probably mention the version of Oracle and the operating system and operating system version to get anything definitive.
    However, if you had O7_DICTIONARY_ACCESSIBILITY=TRUE you would make it very easy for anyone who can connect to your database
    to brute force decrypt any username and password. So make sure that it is set to O7_DICTIONARY_ACCESSIBILITY=FALSE.

    You should make sure that everyone has a different username to log into the database if possible and make sure that you aren't
    using known default passwords like system/manager. Here is a site that will give you a list of default passwords and scripts to verify
    that you aren't using any default passwords:

    http://www.petefinnigan.com/default/...sword_list.htm

    You should also make sure that you use a password function. Here is one example:

    Code:
    CREATE OR REPLACE FUNCTION SYS.verify_function
    (username varchar2,
    password varchar2,
    old_password varchar2)
    RETURN boolean IS
    n boolean;
    m integer;
    differ integer;
    bOK boolean;
    BEGIN
    -- Check if the password is contained as the username
    IF instr(nls_lower(password), nls_lower(username)) > 0 then
    raise_application_error(-20001, 'Username is contained in password or is to similar to username');
    END IF;
    -- Check for the minimum and max length of the password
    IF length(password) < 8 THEN
    raise_application_error(-20002, 'Password cannot be less than 8 in length');
    END IF;
    -- Check if the password is too simple. A dictionary of words may be
    -- maintained and a check may be made so as not to allow the words
    -- that are too simple for the password.
    IF NLS_LOWER(password) IN ('welcome', 'database', 'account', 'user', 'password', 'oracle', 'computer', 'abcd') THEN
    raise_application_error(-20003, 'Password too simple');
    END IF;
    -- Checks if there is a Lower alpha character somewhere in the string
    -- and there is a an Upper alpha  character somewhere in the string
    -- and there is a numeric character somewhere in the string
    -- and there is a character that is neither alpha nor numeric
    -- somewhere in the string (that is, a special character)
    -- then it is a password value that adheres to security policy
    -- else it is NOT a password value that adheres to security policy.
    IF   regexp_like(password,'^.*[a-z].*$')
    and regexp_like(password,'^.*[A-Z].*$')
    and regexp_like(password,'^.*[0-9].*$')
    and regexp_like(password,'^.*[^A-Z,a-z,0-9].*$')
    THEN
    bOK:=true;
    ELSE
    raise_application_error(-20004, 'Password value must include a mix of letters, upper and lower, numbers, and a special characters');
    END IF;
    -- Test that password value can have no more than 2 repeating values
    IF regexp_like(password,  '^.*([A-Z,a-z])\1\1.*$')
    or regexp_like(password, '^.*([0-9])\1\1.*$')
    or regexp_like(password, '^.*([^A-Z,a-z,0-9])\1\1.*$')
    THEN
    raise_application_error(-20005, 'Password value can have no more than 2 repeating values');
    ELSE
    bOK:=true;
    END IF;
    -- Everything is fine; return TRUE ;
    RETURN(TRUE);
    END;
    /
    ALTER PROFILE default
    LIMIT PASSWORD_VERIFY_FUNCTION verify_function
    PASSWORD_LIFE_TIME UNLIMITED
    PASSWORD_GRACE_TIME UNLIMITED
    PASSWORD_REUSE_TIME UNLIMITED
    PASSWORD_REUSE_MAX 9999
    FAILED_LOGIN_ATTEMPTS 10
    PASSWORD_LOCK_TIME UNLIMITED
    /

  5. #5
    Join Date
    Jan 2015
    Posts
    9
    Thank you

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Click Here to Expand Forum to Full Width