One way hash, yes, but can use username to forceably crack the password (same idea as unix CRACK password cracking program). Hash is consistent which is why you can pick up the password string and drop it to another database (same username) and have the password work on the new machine.
A non Oracle example would be to perform the following at the unix prompt:
echo 'some test string' | md5
With the hash, you could create several variations and test against the known or 'captured' hash. Again, brute force method.
Jon Baker
Database Architect
<[EMAIL PROTECTED]>
www.netsec.net
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Friday, February 22, 2002 12:18 AM
To: Multiple recipients of list ORACLE-L
Subject: Re: password question
Sameer,
The obvious answer "you can't decrypt the password". Else a number of
people would think harder about buying Oracle.
It's a one-way hash -- you can't get the original value back.
It is possible to temporarily reset a user's password to something else,
become the user with your own password and reset the password back
to the original value, without knowing what the original password was.
e.g. suppose a user's encrypted password string is 'ABCDEFGHIJKLMNOP',
read this string from DBA_USERS,
store it someplace (a variable, a table ;>),
execute ALTER USER <username> identified by <mypassword>,
login as the user CONNECT <username>/<mypassword>,
do your SQLs as that user,
reset the user's password ALTER USER <username> identified by values
'ABCDEFGHIJKLMNOP'
Hemant K Chitale
Principal DBA
Chartered Semiconductor Manufacturing Ltd
"Ghadge,Sameer" <[EMAIL PROTECTED]> 22/02/2002 11:38 AM
Sent by: [EMAIL PROTECTED]
Please respond to ORACLE-L
To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group)
Subject: password question
Hi,
Oracle stores password in encrypted format,
is it possible (suppose i have access to dba_users table)
to retrieve and descrypt the password.
thx
Sameer
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Ghadge,Sameer
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author:
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
