could not say about the net8, but in oracle 7 clients, if the initial login fails, the client will do the *next* login attempt using *plain text* as password !!! but if this param is set to TRUE, all the attempts are done using an encrypted password.
set ORA_ENCRYPT_LOGIN = TRUE , in the correct ORACLE_HOME using regedit (if on windows) turn the tracing level to 16, try to connect and see the trace file, u wud see the userid in plain text but thepassword will be encrypted... > ---------- > From: MacGregor, Ian A.[SMTP:[EMAIL PROTECTED]] > Reply To: [EMAIL PROTECTED] > Sent: Thursday, May 23, 2002 2:52 AM > To: Multiple recipients of list ORACLE-L > Subject: RE: ORA_ENCRYPT_LOGIN > > If you want to be absolutely sure the password is being encrypted, you'll > need to place a sniffer on the network. Work with your network guys and > whoever else needs to be involved. In most company's using an > unauthorized sniffer will result in dismissal. > > Let me reinterate what I stated. SQL*NET encrypts passwords even if the > ORA_ENCRYPT_LOGIN parameter is not set to TRUE I wouldn't label it strong > encryption. If you really need that there is the Advanced Security > Option. > > I'm not 100% sure when the passwrod is sent in the clear. It is never > sent plain text when the ORA_ENCRYPT_L0gin parameter is set to TRUE. I > believe it will be sent in the clear if the Oracle server side of SQL*NET > is incapable of handling encrypted passwords and ORA_ENCRYPT_LOGIN is > set to false. ( I cannot , off the top of my head, remember if the > parameter takes YES/NO or TRUE/FALSE). > > The first thing I would do is ensure ORA_ENCRYPT_LOGIN is true for all > clients. > > Ian MacGregor > Stanford Linear Accelerator Center > [EMAIL PROTECTED] > > > > -----Original Message----- > From: Richard Huntley [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 22, 2002 9:59 AM > To: Multiple recipients of list ORACLE-L > Subject: RE: ORA_ENCRYPT_LOGIN > > > That's exactly what I want to stop, passwords being sent in the > clear. However, I'm not able to verify it's working so far. I've turned > on tracing, as recommended in another reply on this topic, did a login > before enabling then after enabling this parameter and the differences are > very minor and I'm seeing nothing that specifically points > to this parameter being used other than output saying the parameter > is detected. How are you all having developers connect to the production > box via SQL*Plus client on developer workstations, so that the password is > not sent in the clear? > > -----Original Message----- > From: MacGregor, Ian A. [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 21, 2002 8:18 PM > To: Multiple recipients of list ORACLE-L > Subject: RE: ORA_ENCRYPT_LOGIN > > > Even without this parameter being set the password is encrypted. > What the parameter does is stop the password from being sent in the clear > if logging in with the encrypted password fails. I believe the > encryption is a 54-bit variant of DES. It is very rare that someone > improves DES by fiddling with it. It also always encrypts to the same > value and provides no protection against replay attacks. > > Ian MacGregor > Stanford Linear Accelerator Center > [EMAIL PROTECTED] > > -----Original Message----- > From: Richard Huntley [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 21, 2002 9:34 AM > To: Multiple recipients of list ORACLE-L > Subject: ORA_ENCRYPT_LOGIN > > > Anyone using this and if so, do you know of a way to verify > that the password is actually being encrypted? > > Thanks. > > -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rahul INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
