If you
want to be absolutely sure the password is being encrypted, you'll need to place
a sniffer on the network. Work with your network guys and whoever else
needs to be involved. In most company's using an unauthorized
sniffer will result in dismissal.
Let me
reinterate what I stated. SQL*NET encrypts passwords even if the ORA_ENCRYPT_LOGIN parameter is not set
to TRUE I wouldn't label it strong encryption. If you really
need that there is the Advanced Security
Option.
I'm not 100% sure when the passwrod is sent in the
clear. It is never sent plain text when the ORA_ENCRYPT_L0gin parameter is set to TRUE. I
believe it will be sent in the clear if the Oracle server side of SQL*NET is
incapable of handling encrypted passwords and ORA_ENCRYPT_LOGIN
is set to false. ( I cannot , off the top of my head, remember if the
parameter takes YES/NO or TRUE/FALSE).
The first thing I
would do is ensure ORA_ENCRYPT_LOGIN is true for all
clients.
Ian
MacGregor
Stanford Linear
Accelerator Center
-----Original Message-----
From: Richard Huntley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 22, 2002 9:59 AM
To: Multiple recipients of list ORACLE-L
Subject: RE: ORA_ENCRYPT_LOGINThat's exactly what I want to stop, passwords being sent in the clear. However, I'm not able to verify it's working so far. I've turned on tracing, as recommended in another reply on this topic, did a login before enabling then after enabling this parameter and the differences are very minor and I'm seeing nothing that specifically pointsto this parameter being used other than output saying the parameter is detected. How are you all having developers connect to the production box via SQL*Plus client on developer workstations, so that the password is not sent in the clear?-----Original Message-----
From: MacGregor, Ian A. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 21, 2002 8:18 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: ORA_ENCRYPT_LOGINEven without this parameter being set the password is encrypted. What the parameter does is stop the password from being sent in the clear if logging in with the encrypted password fails. I believe the encryption is a 54-bit variant of DES. It is very rare that someone improves DES by fiddling with it. It also always encrypts to the same value and provides no protection against replay attacks.Ian MacGregorStanford Linear Accelerator Center-----Original Message-----
From: Richard Huntley [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 21, 2002 9:34 AM
To: Multiple recipients of list ORACLE-L
Subject: ORA_ENCRYPT_LOGINAnyone using this and if so, do you know of a way to verify that the password is actually being encrypted?Thanks.
