Hmm...after trying to verify password being passed as plain text, I went back to
do some research on metalink, and it looks like encryption of passwords is done
by default in 8.1.5 (Net8) and higher. Only confusion now is whether I need to
set ORA_ENCRYPT_LOGIN = TRUE only in sqlnet.ora on the client or also in the
NT registry. Guess I'll go look through the docs on this and I'll send an update
if I find a definitive answer. Thanks for the replies.
-----Original Message-----
From: Rahul [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 23, 2002 12:33 AM
To: Multiple recipients of list ORACLE-L
Subject: RE: ORA_ENCRYPT_LOGIN
could not say about the net8, but in oracle 7 clients, if the initial login
fails, the client will do the *next*
login attempt using *plain text* as password !!! but if this param is set
to TRUE, all the attempts are
done using an encrypted password.
set ORA_ENCRYPT_LOGIN = TRUE , in the correct ORACLE_HOME using regedit (if
on windows)
turn the tracing level to 16, try to connect and see the trace file, u wud
see the userid in plain text but thepassword will be
encrypted...
> ----------
> From: MacGregor, Ian A.[SMTP:[EMAIL PROTECTED]]
> Reply To: [EMAIL PROTECTED]
> Sent: Thursday, May 23, 2002 2:52 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
> If you want to be absolutely sure the password is being encrypted, you'll
> need to place a sniffer on the network. Work with your network guys and
> whoever else needs to be involved. In most company's using an
> unauthorized sniffer will result in dismissal.
>
> Let me reinterate what I stated. SQL*NET encrypts passwords even if the
> ORA_ENCRYPT_LOGIN parameter is not set to TRUE I wouldn't label it strong
> encryption. If you really need that there is the Advanced Security
> Option.
>
> I'm not 100% sure when the passwrod is sent in the clear. It is never
> sent plain text when the ORA_ENCRYPT_L0gin parameter is set to TRUE. I
> believe it will be sent in the clear if the Oracle server side of SQL*NET
> is incapable of handling encrypted passwords and ORA_ENCRYPT_LOGIN is
> set to false. ( I cannot , off the top of my head, remember if the
> parameter takes YES/NO or TRUE/FALSE).
>
> The first thing I would do is ensure ORA_ENCRYPT_LOGIN is true for all
> clients.
>
> Ian MacGregor
> Stanford Linear Accelerator Center
> [EMAIL PROTECTED]
>
>
>
> -----Original Message-----
> From: Richard Huntley [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 22, 2002 9:59 AM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
>
> That's exactly what I want to stop, passwords being sent in the
> clear. However, I'm not able to verify it's working so far. I've turned
> on tracing, as recommended in another reply on this topic, did a login
> before enabling then after enabling this parameter and the differences are
> very minor and I'm seeing nothing that specifically points
> to this parameter being used other than output saying the parameter
> is detected. How are you all having developers connect to the production
> box via SQL*Plus client on developer workstations, so that the password is
> not sent in the clear?
>
> -----Original Message-----
> From: MacGregor, Ian A. [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 21, 2002 8:18 PM
> To: Multiple recipients of list ORACLE-L
> Subject: RE: ORA_ENCRYPT_LOGIN
>
>
> Even without this parameter being set the password is encrypted.
> What the parameter does is stop the password from being sent in the clear
> if logging in with the encrypted password fails. I believe the
> encryption is a 54-bit variant of DES. It is very rare that someone
> improves DES by fiddling with it. It also always encrypts to the same
> value and provides no protection against replay attacks.
>
> Ian MacGregor
> Stanford Linear Accelerator Center
> [EMAIL PROTECTED]
>
> -----Original Message-----
> From: Richard Huntley [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 21, 2002 9:34 AM
> To: Multiple recipients of list ORACLE-L
> Subject: ORA_ENCRYPT_LOGIN
>
>
> Anyone using this and if so, do you know of a way to verify
> that the password is actually being encrypted?
>
> Thanks.
>
>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Rahul
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
