Thanks Pete. 'twould be nice if Oracle allowed a package for complete control over the password. Doesn't seem to likely now though with so many authentication alternatives.
Jared On Sun, 2003-10-19 at 02:35, Pete Finnigan wrote: > > > >You could use it to enforce all lowercase, or init caps. > > > >Jared > > Hi Jared, > > You could do as you suggest and enforce all to lowercase or initcaps but > what is the point?, Oracle is not case sensitive for passwords even when > the password is set using quotes. See for example: > > SQL> connect system/[EMAIL PROTECTED] > Connected. > SQL> -- create a user no quotes lower case > SQL> create user jared identified by jared; > > User created. > > SQL> select password from dba_users where username='JARED'; > > PASSWORD > ------------------------------ > C142CAC4DE964694 > > SQL> -- change the password, no quotes upper case > SQL> alter user jared identified by JARED; > > User altered. > > SQL> select password from dba_users where username='JARED'; > > PASSWORD > ------------------------------ > C142CAC4DE964694 > > SQL> -- change the password, no quotes initcap > SQL> alter user jared identified by Jared; > > User altered. > > SQL> select password from dba_users where username='JARED'; > > PASSWORD > ------------------------------ > C142CAC4DE964694 > > SQL> -- try now with quotes, upper case > SQL> alter user jared identified by "JARED"; > > User altered. > > SQL> select password from dba_users where username='JARED'; > > PASSWORD > ------------------------------ > C142CAC4DE964694 > > SQL> -- with quotes, lower case > SQL> alter user jared identified by "jared"; > > User altered. > > SQL> select password from dba_users where username ='JARED'; > > PASSWORD > ------------------------------ > C142CAC4DE964694 > > SQL> -- with quotes initcap > SQL> alter user jared identified by "Jared"; > > User altered. > > SQL> select password from dba_users where username='JARED'; > > PASSWORD > ------------------------------ > C142CAC4DE964694 > > As yu can no doubt see the hash is the same no matter what case is used > and also even if the password is encased in quotes. This seems to defy > the logic of using quotes as doing so allows the use of any character > such as: > > SQL> alter user jared identified by "£$%^"; > > User altered. > > SQL> select password from dba_users where username='JARED'; > > PASSWORD > ------------------------------ > 8248DF340D98455E > > SQL> connect jared/"£$%^"@zulia > ERROR: > ORA-01045: user JARED lacks CREATE SESSION privilege; logon denied > > > Warning: You are no longer connected to ORACLE. > SQL> connect system/[EMAIL PROTECTED] > Connected. > SQL> grant create session to jared; > > Grant succeeded. > > SQL> connect jared/"£$%^"@zulia > Connected. > SQL> > > why then if it allows the whole character set including control > characters does it change make ASCII letters case insensitive? > > Anyway the point is from above the original OP cannot force a password > to be case sensitive as Oracle does not recognise case for passwords. > > kind regards > > Pete > -- > Pete Finnigan > email:[EMAIL PROTECTED] > Web site: http://www.petefinnigan.com - Oracle security audit specialists > Book:Oracle security step-by-step Guide - see http://store.sans.org for details. > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: Pete Finnigan > INET: [EMAIL PROTECTED] > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > San Diego, California -- Mailing list and web hosting services > --------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in > the message BODY, include a line containing: UNSUB ORACLE-L > (or the name of mailing list you want to be removed from). You may > also send the HELP command for other information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jared Still INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
