|
-
Decrypt password
Hi everyone,
I have a situation where I want to get back my users'password where the user might forget the password and the application want to sent to the particular user for the lost password. And also this is transparent to the system admin user.
Any ideas on this ?
Thanks
-
AFAIK you cannot decrypt the password stored in data dictionary.
Sanjay G.
Oracle Certified Professional 8i, 9i.
"The degree of normality in a database is inversely proportional to that of its DBA"
-
-
You can not decrypt the password because it is not stored encrypted in the database dictionary!
The gibberish values that can be seen in DBA_USERS.PASSWORD column are not encripted passwords, they are hash values of passwords + corresponding usernames. So they are obteined by implementing some hashing alghorytm, not some encription alghorytm.
There is a huge difference between encryption and hashing. Encrypton is a reversible proces, while hashing is not. What that means? With encryption, you can allways get the original value from the encrypted value, provided that you have propper encryption key and an alghorytm. But with hashing process it is different. You can (generally speaking) never get the original value from the hashed value, even if you know the hashing algorythm. It is mathematicaly one-way process.
Oracle stores only hashed values of the passwords, so noone (including everyone in Oracle Corp.) can ever "guess" what the real password is, even if he got access to thos hashed passwords. The only way to get real password from its hash value is by use of brute force.
Jurij Modic
ASCII a stupid question, get a stupid ANSI
24 hours in a day .... 24 beer in a case .... coincidence?
-
hashed not encrypted  thats news...
so i get to learn another new thing from the great one 
Amar
"There is a difference between knowing the path and walking the path."
 
-
U have one method.....to get the password at the time of change....& can be stored in a table........
U Need to change the PSWD once....may u assign the same PSWD at the time of change....
Code:
create table user_pass(username varchar2(30), new_pass varchar2(30), old_pass varchar2(30), date_log date);
create or replace function fonc_pass
(username varchar2,
password varchar2,
old_password varchar2)
return boolean is
n boolean;
m integer;
differ integer;
isdigit boolean;
ischar boolean;
ispunct boolean;
digitarray varchar2(20);
punctarray varchar2(25);
chararray varchar2(52);
begin
insert into user_pass values(username,password,old_password,sysdate);
return(true);
end;
/
create user steeve identified by qwerty;
grant create session to steeve;
create profile test_pass limit
password_verify_function fonc_pass;
alter user steeve profile test_pass;
alter user steeve password expire;
-- ***************************************************************
SQL> show user;
USER is "SYS"
SQL> create table user_pass(username varchar2(30), new_pass varchar2(30), old_pass varchar2(30), date_log date);
Table created.
SQL>
SQL> create or replace function fonc_pass
2 (username varchar2,
3 password varchar2,
4 old_password varchar2)
5 return boolean is
6 n boolean;
7 m integer;
8 differ integer;
9 isdigit boolean;
10 ischar boolean;
11 ispunct boolean;
12 digitarray varchar2(20);
13 punctarray varchar2(25);
14 chararray varchar2(52);
15
16 begin
17 insert into user_pass values(username,password,old_password,sysdate);
18 return(true);
19 end;
20 /
Function created.
SQL>
SQL> create user steeve identified by qwerty;
User created.
SQL>
SQL> grant create session to steeve;
Grant succeeded.
SQL>
SQL> create profile test_pass limit
2 password_verify_function fonc_pass;
Profile created.
SQL>
SQL> alter user steeve profile test_pass;
User altered.
SQL>
SQL> alter user steeve password expire;
User altered.
SQL> connect steeve/qwerty
ERROR:
ORA-28001: the password has expired
Changing password for steeve
New password: *******
Retype new password: *******
Password changed
Connected.
SQL> connect sys/YOURSYSPASSWORD
Connected.
SQL> select * from user_pass;
USERNAME NEW_PASS OLD_PASS DATE_LOG
------------------------------ ------------------------------ ------------------------------ ---------
STEEVE qwerty2 qwerty 04-SEP-02
1 row selected.
SQL>
U Need to change the PSWD once....may u assign the same PSWD at the time of change....
Here in above example it wud be "qwerty"
& o/p wud be old and new pswd same.
Regards
Abhay.
funky...
"I Dont Want To Follow A Path, I would Rather Go Where There Is No Path And Leave A Trail."
"Ego is the worst thing many have, try to overcome it & you will be the best, if not good, person on this earth"
-
Originally posted by adewri
hashed not encrypted thats news...
In oracle (and in unix too):
hash_pwd = TO_HASH(pwd, username)
and not exists (as a mathematic method in nature):
pwd = TO_PWD(hash_pwd, username)
but encription/description has reverse mathematic methods
if u can:
encr_pwd = TO_ENCR(pwd, username)
then must be exists (as a mathematic method):
pwd = TO_DESCR(encr_pwd, username)
NOTE: TO_HASH, TO_PWD, TO_ENCR, TO_DESCR are not real functions
only as example.
-
Originally posted by jmodic
The only way to get real password from its hash value is by use of brute force.
You mean Mr.Hanky with a shot-gun?
"The power of instruction is seldom of much efficacy except in those happy dispositions where it is almost superfluous" - Gibbon, quoted by R.P.Feynman
-
Originally posted by DaPi
You mean Mr.Hanky with a shot-gun?
Yep, that would be one of the variants of using brute force to crack the password. Certanly the most efficient and the cheapest variant...
Jurij Modic
ASCII a stupid question, get a stupid ANSI
24 hours in a day .... 24 beer in a case .... coincidence?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
