RE: Password management using profiles
Yup..we just added the functionalty to the verify_password functionwala. Brian S. -Original Message- [EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 5:59 PM To: Multiple recipients of list ORACLE-L You have to check for errors in the ORA-28000 range, for this is the range that password problems will use. Add a check in your connection section that will propagate any exception encountered. You can also trap the Oracle errors for password expiration or locked account and display a more understandable message instead. This is the way I did it. Also, create a function or procedure that checks the EXPIRY_DATE and ACCOUNT_STATUS in the all_users or dba_users table to determine when the password will expire or if it has already. The function/procedure then can raise an exception if the account is within the grace period or locked. RWB Reginald W. Bailey IBM Global Services JPMC Account - DCI ETS Database Management Your Friendly Neighborhood DBA 713-216-7703 (Office) 281-798-5474 (Mobile) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] n.eduTo: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] Subject: Re: Password management using profiles ity.com 01/20/2004 02:49 PM Please respond to ORACLE-L We're using pl/sql gateway and the Apache server. We've set up a default DAD on the gateway configuration screen, the connect string is our server name. Basic authentication, Package/Session Management Type: Stateless(Reset Package State). I've tried the profile by setting up a test user and expiring the account. If I go to sqlplus and log in with the expired user account sqlplus prompts me for a new password. I don't have a problem with that, but you know how users are, they wouldn't figure out why. And management wants users to receive a message telling them why they have to change their passwords without going through the Help Desk. My guess is that a pl/sql package has to be written so users get their password check at login time and receive messages such as the number of days they have before the password expires, or that the password is actually expired. Thanks Ana E. Choto Systems Programmer American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Mladen Gogala [EMAIL PROTECTED] ng.com To Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/20/2004 03:24 Re: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site and tries to change the password. Users receive error messages whenever their password doesn't comply with the rules we have set up in the profile. We use the verify_function. The only problem I have is that when the users go to our web site they are presented with a login screen. If their account is locked or expired, or it is within the grace period before the account expires they don't receive a message to that account. If the account is expired the login screen resets and prompts for user id and password over and over. I have opened a TAR wit Oracle support, but they don't have an answer to that effect. They say it is an application issue. I've researched everywhere I could think of and everything I have found is the same, use profiles and the verify_function function. I've also read the documentation regarding password management, but I couldn't find anything of help. Our database is 8.1.7.2, and we're in Unix 5.8. We're using 9iAS release 1. We have created a DAD to connect to the database. When users click on our link then they see the login screen, just the same way as Metalink's. Only if they sign on successfully and try to change the password the profile works as a charm. I guess we need something that checks for the password status once the user enters id and password in the login screen. I'd appreciate any help in finding documents or web sites I can visit to find a solution to this problem. We'd like to enforce our password
Re: Password management using profiles
On 01/21/2004 02:54:25 PM, Spears, Brian wrote: Yup..we just added the functionalty to the verify_password functionwala. Brian S. Brian, are you related to the young lady named Britney and whose marriage was shorter then the average transaction on my database? She happens to have the same last name as you. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password management using profiles
Thanks for your reponses. We're working on make these changes now. Ana E. Choto American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Spears, Brian [EMAIL PROTECTED] rands.com To Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/21/2004 02:54 RE: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com Yup..we just added the functionalty to the verify_password functionwala. Brian S. -Original Message- [EMAIL PROTECTED] Sent: Tuesday, January 20, 2004 5:59 PM To: Multiple recipients of list ORACLE-L You have to check for errors in the ORA-28000 range, for this is the range that password problems will use. Add a check in your connection section that will propagate any exception encountered. You can also trap the Oracle errors for password expiration or locked account and display a more understandable message instead. This is the way I did it. Also, create a function or procedure that checks the EXPIRY_DATE and ACCOUNT_STATUS in the all_users or dba_users table to determine when the password will expire or if it has already. The function/procedure then can raise an exception if the account is within the grace period or locked. RWB Reginald W. Bailey IBM Global Services JPMC Account - DCI ETS Database Management Your Friendly Neighborhood DBA 713-216-7703 (Office) 281-798-5474 (Mobile) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] n.eduTo: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] Subject: Re: Password management using profiles ity.com 01/20/2004 02:49 PM Please respond to ORACLE-L We're using pl/sql gateway and the Apache server. We've set up a default DAD on the gateway configuration screen, the connect string is our server name. Basic authentication, Package/Session Management Type: Stateless(Reset Package State). I've tried the profile by setting up a test user and expiring the account. If I go to sqlplus and log in with the expired user account sqlplus prompts me for a new password. I don't have a problem with that, but you know how users are, they wouldn't figure out why. And management wants users to receive a message telling them why they have to change their passwords without going through the Help Desk. My guess is that a pl/sql package has to be written so users get their password check at login time and receive messages such as the number of days they have before the password expires, or that the password is actually expired. Thanks Ana E. Choto Systems Programmer American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Mladen Gogala [EMAIL PROTECTED] ng.com To Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/20/2004 03:24 Re: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site
Re: Password management using profiles
On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site and tries to change the password. Users receive error messages whenever their password doesn't comply with the rules we have set up in the profile. We use the verify_function. The only problem I have is that when the users go to our web site they are presented with a login screen. If their account is locked or expired, or it is within the grace period before the account expires they don't receive a message to that account. If the account is expired the login screen resets and prompts for user id and password over and over. I have opened a TAR wit Oracle support, but they don't have an answer to that effect. They say it is an application issue. I've researched everywhere I could think of and everything I have found is the same, use profiles and the verify_function function. I've also read the documentation regarding password management, but I couldn't find anything of help. Our database is 8.1.7.2, and we're in Unix 5.8. We're using 9iAS release 1. We have created a DAD to connect to the database. When users click on our link then they see the login screen, just the same way as Metalink's. Only if they sign on successfully and try to change the password the profile works as a charm. I guess we need something that checks for the password status once the user enters id and password in the login screen. I'd appreciate any help in finding documents or web sites I can visit to find a solution to this problem. We'd like to enforce our password policies as soon as possible, but upper management doesn't want me to do it until we can display the information regarding password status. Users may be at a loss if they just see the login screen resetting without knowing why, and our Help Desk would be inundated with calls. So, let me make things straight: the problem is happening only when they attempt to access the database through the web? What authorization mechanism are you using on the web? JSP? ASP? CGI? EJB? The part that performs user authentication should be cabable of detecting the error, just like SQL*Plus is. Oracle support is probably right. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Password management using profiles
We're using pl/sql gateway and the Apache server. We've set up a default DAD on the gateway configuration screen, the connect string is our server name. Basic authentication, Package/Session Management Type: Stateless(Reset Package State). I've tried the profile by setting up a test user and expiring the account. If I go to sqlplus and log in with the expired user account sqlplus prompts me for a new password. I don't have a problem with that, but you know how users are, they wouldn't figure out why. And management wants users to receive a message telling them why they have to change their passwords without going through the Help Desk. My guess is that a pl/sql package has to be written so users get their password check at login time and receive messages such as the number of days they have before the password expires, or that the password is actually expired. Thanks Ana E. Choto Systems Programmer American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Mladen Gogala [EMAIL PROTECTED] ng.comTo Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/20/2004 03:24 Re: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site and tries to change the password. Users receive error messages whenever their password doesn't comply with the rules we have set up in the profile. We use the verify_function. The only problem I have is that when the users go to our web site they are presented with a login screen. If their account is locked or expired, or it is within the grace period before the account expires they don't receive a message to that account. If the account is expired the login screen resets and prompts for user id and password over and over. I have opened a TAR wit Oracle support, but they don't have an answer to that effect. They say it is an application issue. I've researched everywhere I could think of and everything I have found is the same, use profiles and the verify_function function. I've also read the documentation regarding password management, but I couldn't find anything of help. Our database is 8.1.7.2, and we're in Unix 5.8. We're using 9iAS release 1. We have created a DAD to connect to the database. When users click on our link then they see the login screen, just the same way as Metalink's. Only if they sign on successfully and try to change the password the profile works as a charm. I guess we need something that checks for the password status once the user enters id and password in the login screen. I'd appreciate any help in finding documents or web sites I can visit to find a solution to this problem. We'd like to enforce our password policies as soon as possible, but upper management doesn't want me to do it until we can display the information regarding password status. Users may be at a loss if they just see the login screen resetting without knowing why, and our Help Desk would be inundated with calls. So, let me make things straight: the problem is happening only when they attempt to access the database through the web? What authorization mechanism are you using on the web? JSP? ASP? CGI? EJB? The part that performs user authentication should be cabable of detecting the error, just like SQL*Plus is. Oracle support is probably right. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Mladen Gogala INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California
Re: Password management using profiles
You have to check for errors in the ORA-28000 range, for this is the range that password problems will use. Add a check in your connection section that will propagate any exception encountered. You can also trap the Oracle errors for password expiration or locked account and display a more understandable message instead. This is the way I did it. Also, create a function or procedure that checks the EXPIRY_DATE and ACCOUNT_STATUS in the all_users or dba_users table to determine when the password will expire or if it has already. The function/procedure then can raise an exception if the account is within the grace period or locked. RWB Reginald W. Bailey IBM Global Services JPMC Account - DCI ETS Database Management Your Friendly Neighborhood DBA 713-216-7703 (Office) 281-798-5474 (Mobile) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] n.eduTo: [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] Subject: Re: Password management using profiles ity.com 01/20/2004 02:49 PM Please respond to ORACLE-L We're using pl/sql gateway and the Apache server. We've set up a default DAD on the gateway configuration screen, the connect string is our server name. Basic authentication, Package/Session Management Type: Stateless(Reset Package State). I've tried the profile by setting up a test user and expiring the account. If I go to sqlplus and log in with the expired user account sqlplus prompts me for a new password. I don't have a problem with that, but you know how users are, they wouldn't figure out why. And management wants users to receive a message telling them why they have to change their passwords without going through the Help Desk. My guess is that a pl/sql package has to be written so users get their password check at login time and receive messages such as the number of days they have before the password expires, or that the password is actually expired. Thanks Ana E. Choto Systems Programmer American University e-Operations - Information Technology Phone (202) 885-2275 Fax (202) 885-2224 Mladen Gogala [EMAIL PROTECTED] ng.comTo Sent by: Multiple recipients of list [EMAIL PROTECTED] ORACLE-L [EMAIL PROTECTED] .com cc Subject 01/20/2004 03:24 Re: Password management using PMprofiles Please respond to [EMAIL PROTECTED] com On 01/20/2004 02:34:45 PM, Ana Choto wrote: I have set up a profile where the passwords expire in 30 days, 6 characters minimum, grace period before the account locks to 6 days. It works as expected when the user logs in to our web site and tries to change the password. Users receive error messages whenever their password doesn't comply with the rules we have set up in the profile. We use the verify_function. The only problem I have is that when the users go to our web
Re: password file authentication
Start with: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96536/ch1177.htm#1023215 Then go to: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/dba.htm#1283 EXCLUSIVE refers to a separate password file for each database in an ORACLE_HOME e.g. ls -l$ORACLE_HOME/dbs/orapwd* -rwSr-1 oracle dba 1536 Jan 31 10:39 /u01/app/oracle/product/8.1.7/dbs/orapwdv01 -rwSr-1 oracle dba 1536 Apr 1 2002 /u01/app/oracle/product/8.1.7/dbs/orapwdv02 Jared BigP [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/04/2003 09:49 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password file authentication when is set remote_pass_tuh = exclusive , oracle looks for passwordfile with name is ../920/dbs/orapw . If I have multiple instances of oracle running , what should I do to look for differenet password file like orapwINST.pw ...? Bp -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
If this were to be used as a serious security tool, you would be better off studying some of the well known password crackers and duplicating the algorithms in PL/SQL. Sounds like a project to add to my todo list. Actually it's one I've had on the backburner for some time. This can also be done with Perl, of course. If anyone is interested, I would suggest starting with one of the best Unix password crackers, John the Ripper: http://www.openwall.com/john/ TTL, Sean -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: From INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
why isn't there a program available that can reverse engineer the code used to encrypt passwords... if username XYZ always has password (encrypted) CBA, you think that it would be easy to figure out the pattern... once you have the pattern it's easy to go back and forth with the password and the encrypted password. Nick: Password encryption is a one-way algorithm. I'm no math genius, but these guys know how to create math such that you can encrypt a string of text, but *CAN'T* reverse the process. This is an age-old method. In fact for years, the unix password file was plainly readable by anyone on the system. In those days, computers weren't fast enough to run dictionary cracker programs. When they became fast enough, people would just go through a dictionary file, and encrypt each word, and simple permutations thereof. When you found an encrypted string which matched your string from the password file, you had a match. Then shadow password files were invented. Anyway, security in Oracle is implemented in somewhat the same way. And just as in the Unix world, if you have the encrypted passwords, you can run a dictionary hack like John the Ripper (http://www.openwall.com/john/) and find passwords which are based on dictionary words. This is an endless game of cat and mouse. Users can't remember complex strings like $rs^tvzH(9, so they either use passwords they can remember, which is insecure, or write them on a post-it. Some people have devised small electronic versions of a post-it with a password, some attached to a keychain, or a program for the palm pilot. But the same problem remains, they're only as good as the password that secures all the others. If you want to go further to the cutting edge, you run into the new field of biometrics. Bruce Schneir has a lot to say about this: http://www.counterpane.com/crypto-gram-9808.html A Japanese researcher named Tsutomu Matsumoto managed to hack fingerprint readers 80% of the time with Jelly Babies!!! http://www.zdnet.com.au/newstech/security/story/0,224985,20265318-1,00.htm http://www.counterpane.com/crypto-gram-0205.html#5 I actually requested a copy of this paper through the mail. It was *VERY* interesting. So don't expect these problems to be solved anytime soon. :-) HTH, Sean -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: From INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Title: Message BOB, its the same on my machine... 8.1.6 on NT -Venu -Original Message-From: Bob Metelsky [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 3:56 AMTo: Multiple recipients of list ORACLE-LSubject: RE: password created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- on my db LTRACK1 SQL select password from dba_users where username = 'TEST'; PASSWORD--7A0F2B316C212D67 bob **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. ***
RE: password
Same on linux 7.2 Oracle 8.1.7 rel 3 Ron [EMAIL PROTECTED] 12/20/02 04:07AM BOB, its the same on my machine... 8.1.6 on NT -Venu -Original Message- From: Bob Metelsky [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 3:56 AM To: Multiple recipients of list ORACLE-L Subject: RE: password created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- on my db LTRACK1 SQL select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 bob -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Yes, this is the intended behaviour (although I can't find where it actually documented). Passwords are stored using a one-way encryption and this encrypted form applies to all Oracle platforms. It is used, for example, during export/import of full dumps where the users are created on the new (import) database with the same password they had on the old (export) database simply by copying the encrypted form. This must be cross-platform/version, and exp/imp is cross-platform/version. You can do the same thing as exp/imp does by: CREATE USER user IDENTIFIED BY VALUES encrypted form eg CREATE USER TEST IDENTIFIED BY VALUES '7A0F2B316C212D67'; Note, though that the encrypted form of the password is dependent on the username for which it applies, so you cannot use this to set the same password for a differently named user. - Bill. At 06:14 20/12/2002 -0800, you wrote: Same on linux 7.2 Oracle 8.1.7 rel 3 Ron [EMAIL PROTECTED] 12/20/02 04:07AM BOB, its the same on my machine... 8.1.6 on NT -Venu -Original Message- From: Bob Metelsky [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 3:56 AM To: Multiple recipients of list ORACLE-L Subject: RE: password created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- on my db LTRACK1 SQL select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 bob -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Intasys Billing Technologies Ltd. www.intasysbilling.com 74 Commercial Street, Commercial Quay, Leith, Edinburgh EH6 6LX tel (0)131 625 8200 fax (0)131 625 8201 email [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Bill Buchan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Title: RE: password why isn't there a program available that can reverse engineer the code used to encrypt passwords... if username XYZ always has password (encrypted) CBA, you think that it would be easy to figure out the pattern... once you have the pattern it's easy to go back and forth with the password and the encrypted password. -Original Message- From: Bill Buchan [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 8:21 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Yes, this is the intended behaviour (although I can't find where it actually documented). Passwords are stored using a one-way encryption and this encrypted form applies to all Oracle platforms. It is used, for example, during export/import of full dumps where the users are created on the new (import) database with the same password they had on the old (export) database simply by copying the encrypted form. This must be cross-platform/version, and exp/imp is cross-platform/version. You can do the same thing as exp/imp does by: CREATE USER user IDENTIFIED BY VALUES encrypted form eg CREATE USER TEST IDENTIFIED BY VALUES '7A0F2B316C212D67'; Note, though that the encrypted form of the password is dependent on the username for which it applies, so you cannot use this to set the same password for a differently named user. - Bill. At 06:14 20/12/2002 -0800, you wrote: Same on linux 7.2 Oracle 8.1.7 rel 3 Ron [EMAIL PROTECTED] 12/20/02 04:07AM BOB, its the same on my machine... 8.1.6 on NT -Venu -Original Message- HREF="">mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 3:56 AM To: Multiple recipients of list ORACLE-L created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- on my db LTRACK1 SQL select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 bob -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Ron Rogers INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Intasys Billing Technologies Ltd. www.intasysbilling.com 74 Commercial Street, Commercial Quay, Leith, Edinburgh EH6 6LX tel (0)131 625 8200 fax (0)131 625 8201 email [EMAIL PROTECTED] -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Bill Buchan INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
And that is what it *should* be used for :) -Original Message- [EMAIL PROTECTED] Sent: 17 December 2002 19:35 To: Multiple recipients of list ORACLE-L Yes, it's a dictionary based cracker. Could be useful for checking for weak passwords. For $4, I'm going to see what it does. :) Jared John Kanagaraj [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:08 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Leith INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password
Jared's answer still stands you can't --- faisal ahmad [EMAIL PROTECTED] wrote: HR htmldiv style='background-color:'DIV Pquistion is this that how can dba see a user,s password in readable outputt. i mean if password is tiger it should be seen as tigerBRBR/P/DIV DIV/DIV DIV/DIVgt;From: [EMAIL PROTECTED] DIV/DIVgt;To: [EMAIL PROTECTED] DIV/DIVgt;CC: [EMAIL PROTECTED] DIV/DIVgt;Subject: Re: password DIV/DIVgt;Date: Tue, 17 Dec 2002 08:46:13 -0800 DIV/DIVgt; DIV/DIVgt;You can't. DIV/DIVgt; DIV/DIVgt; DIV/DIVgt; DIV/DIVgt; DIV/DIVgt; DIV/DIVgt; DIV/DIVgt;faisal ahmad [EMAIL PROTECTED] DIV/DIVgt;Sent by: [EMAIL PROTECTED] DIV/DIVgt; 12/16/2002 08:09 PM DIV/DIVgt; Please respond to ORACLE-L DIV/DIVgt; DIV/DIVgt; DIV/DIVgt; To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] DIV/DIVgt; cc: DIV/DIVgt; Subject: password DIV/DIVgt; DIV/DIVgt; DIV/DIVgt;how can a dba see the password of a user. DIV/DIVgt; DIV/DIVgt;The new MSN 8: smart spam protection and 2 months FREE* DIV/DIVgt;-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network DIV/DIVgt;Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services DIV/DIVgt;- To DIV/DIVgt;REMOVE yourself from this mailing list, send an E-Mail message to: DIV/DIVgt;[EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the DIV/DIVgt;message BODY, include a line containing: UNSUB ORACLE-L (or the name of DIV/DIVgt;mailing list you want to be removed from). You may also send the HELP DIV/DIVgt;command for other information (like subscribing). DIV/DIV/divbr clear=allhrAdd photos to your e-mail with a href=http://g.msn.com/8HMUEN/2022;MSN 8./a Get 2 months FREE*./html -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Oracle7 Server Release 7.3.4.5.0 - Production With the distributed, parallel query and Spatial Data options PL/SQL Release 2.3.4.5.0 - Production SQL create user test identified by test; User created. SQL select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 SQL drop user test; User dropped. SQL create user hohoho identified by test; User created. SQL select password from dba_users where username = 'HOHOHO'; PASSWORD -- 2C49BD93B9733CA0 SQL drop user hohoho; User dropped. -Original Message- Sent: Tuesday, December 17, 2002 8:24 PM To: Multiple recipients of list ORACLE-L SQL*Plus: Release 9.2.0.2.0 - Production on Tue Dec 17 17:19:55 2002 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle9i Enterprise Edition Release 9.2.0.2.0 - Production With the Partitioning, OLAP and Oracle Data Mining options JServer Release 9.2.0.2.0 - Production SQL create user test identified by test; User created. SQL select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 SQL -Original Message- Sent: Tuesday, December 17, 2002 2:26 PM To: Multiple recipients of list ORACLE-L created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- on my db LTRACK1 SQL select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 bob -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Wiegand, Kurt INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Downloaded and installed the tool. Not terribly sophistcated. If the word is not in the dictionary, it won't find it. For instance, a password of 'SHOE' will be discovered, but changing the O to a zero so that it reads 'SH0E', and the password cracker will not find it. If this were to be used as a serious security tool, you would be better off studying some of the well known password crackers and duplicating the algorithms in PL/SQL. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/18/2002 01:28 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password And that is what it *should* be used for :) -Original Message- [EMAIL PROTECTED] Sent: 17 December 2002 19:35 To: Multiple recipients of list ORACLE-L Yes, it's a dictionary based cracker. Could be useful for checking for weak passwords. For $4, I'm going to see what it does. :) Jared John Kanagaraj [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:08 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Leith INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
he can't but he can change it to a new one and then put the old back on -Original Message-From: faisal ahmad [mailto:[EMAIL PROTECTED]]Sent: terça-feira, 17 de Dezembro de 2002 4:09To: Multiple recipients of list ORACLE-LSubject: password how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Check the post-it note on their monitor? :) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paulo GomesSent: 17 December 2002 10:55To: Multiple recipients of list ORACLE-LSubject: RE: password he can't but he can change it to a new one and then put the old back on -Original Message-From: faisal ahmad [mailto:[EMAIL PROTECTED]]Sent: terça-feira, 17 de Dezembro de 2002 4:09To: Multiple recipients of list ORACLE-LSubject: password how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
nope u can get the encripted password from the oracle dictionáry -Original Message-From: Mark Leith [mailto:[EMAIL PROTECTED]]Sent: terça-feira, 17 de Dezembro de 2002 11:34To: Multiple recipients of list ORACLE-LSubject: RE: password Check the post-it note on their monitor? :) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paulo GomesSent: 17 December 2002 10:55To: Multiple recipients of list ORACLE-LSubject: RE: password he can't but he can change it to a new one and then put the old back on -Original Message-From: faisal ahmad [mailto:[EMAIL PROTECTED]]Sent: terça-feira, 17 de Dezembro de 2002 4:09To: Multiple recipients of list ORACLE-LSubject: password how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- From: Mark Leith [mailto:[EMAIL PROTECTED]] Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Subject: RE: password Check the post-it note on their monitor? :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Paulo Gomes Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L Subject: RE: password he can't but he can change it to a new one and then put the old back on -Original Message- From: faisal ahmad [mailto:[EMAIL PROTECTED]] Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L Subject: password how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
unless, of course, you are using the profile and password history, in which case you can't reuse the password for x times --- [EMAIL PROTECTED] wrote: And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password
You can't. faisal ahmad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
How about select username, password from dba_users; USERNAME PASSWORD -- SYSD4C5016086B2DC6A SYSTEM D4DF7931AB130E37 This is part of the becomeuser script where you can change and then reset the password for a user spool C:\reset.sql select ' alter user 1 identified by values ' |||| password||||' profile '||profile||';' from dba_users where username = upper ('1') ; spool off; bob You can't. faisal ahmad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password
From DBA_USERS. :-) I think you replaced encrypted with decrypted. JP On Tuesday 17 December 2002 18:04, you wrote: How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Pruner Jan [EMAIL PROTECTED] http://jan.pruner.cz/ - Only Robinson Crusoe had all his work done by Friday -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jan Pruner INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password
I think, you need not crack it, just use it to create own hash and compare it with PASSWORD from DBA_USERS. But HOW to use it? JP On Tuesday 17 December 2002 18:04, you wrote: How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Pruner Jan [EMAIL PROTECTED] http://jan.pruner.cz/ - Only Robinson Crusoe had all his work done by Friday -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jan Pruner INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
I thought (for a micro-second, and very smug I was too) that we'd be more-or-less safe from crack attempts as we're going to be using in 9iAS R2's Active Directory bit to authenticate from our AD servers. But, thought I, the AD implementation on Oracle is a sub-set of master LDAP - they're not banging on the read AD tree, just a select set OF the tree. Which means .. someone using this crack tool on an Oracle server running the AD/LDAP authentication can crack the AD/LDAP tree? Tell me if I'm right or not ... our AD admins aren't going to be happy. ~brian -Original Message- Sent: Tuesday, December 17, 2002 11:09 AM To: Multiple recipients of list ORACLE-L Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian Dunbar INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
oh this is very scary especially that price did you try out the demo? I'm still in catch-up, deal with crises mode so I haven't had a chance Rachel --- [EMAIL PROTECTED] wrote: Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
If you are too cheap for $4.00 then there is this one http://www.trantechnologies.com/pass_cracker.zip I found it in the comments for Oracle Password Cracker 1.6 on www.download.com Greg -Original Message- Sent: Tuesday, December 17, 2002 1:14 PM To: Multiple recipients of list ORACLE-L oh this is very scary especially that price did you try out the demo? I'm still in catch-up, deal with crises mode so I haven't had a chance Rachel --- [EMAIL PROTECTED] wrote: Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mirsky, Greg INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list
Re: password
Wrong, I took my first Oracle class with a woman who had cracked the algorithm. At the time, I didn't know enough to ask her for it. Ruth - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, December 17, 2002 12:04 PM How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ruth Gramolini INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password
I don't know if 'crack' is the right word. It just tries words from the dictionary until it finds one that encrypts to the same value. Keith - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, December 17, 2002 11:09 AM Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader of this message is not the intended recipient, you are hereby notified that your access is unauthorized, and any review, dissemination, distribution or copying of this message including any attachments is strictly prohibited. If you are not the intended recipient, please contact the sender and delete the material from any computer.
RE: password
Interesting. Does CHANGE_ON_INSTALL have the same hash value for every version and every instance? Not being much of a hacker (anymore) I would think that with only one algorithm and several known passwords (you can generate them yourself), this wouldn't be much of a challenge to real hackers. Hell, the client encrypts it to send to the server, right? That code could be reverse engineered, too. BTW, VMS has many algorithms in play to help prevent such an attack on it's passwords. plug plug Oh to have the spare time of a 15-year old again... :) Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -Original Message- From: Ruth Gramolini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 12:39 PM To: Multiple recipients of list ORACLE-L Subject: Re: password Wrong, I took my first Oracle class with a woman who had cracked the algorithm. At the time, I didn't know enough to ask her for it. Ruth - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, December 17, 2002 12:04 PM How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
This program does not reverse-engineer or decrypt Oracle passwords. It does a dictionary forward brute-force hack. So, if the user's password is not in the list of pre-defined words then the password is never revealed. This just encourages DBAs to enforce password management. See the verify_function for password management in Oracle for details. For example, setting your password to SHOELACE would be detected by this program, as it is in the English dictionary. SH03LAC3 would not. Basic rules of having a combination of characters, numbers, and punctuation marks, and not writing your password on a slip of paper by your monitor, all lead to a safe environment. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 12:14 PM To: Multiple recipients of list ORACLE-L oh this is very scary especially that price did you try out the demo? I'm still in catch-up, deal with crises mode so I haven't had a chance Rachel --- [EMAIL PROTECTED] wrote: Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionary -Original Message- Sent: terga-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terga-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
It's one way encryption. So you can loop on all the permutation for AA to ZZ and apply the encryption code and compare the output to the dictionary content. If it matches, then you got the password. I thought about doing this five years ago, but decided against it. I thought I will be under the hackers, virus developers groups. Regards, Waleed -Original Message- Sent: Tuesday, December 17, 2002 12:04 PM To: Multiple recipients of list ORACLE-L How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Khedr, Waleed INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Bob, That no longer works as of 8i if you enforce the password history... you'd have to change the password a number of times to get it back to what it was. Rachel --- Bob Metelsky [EMAIL PROTECTED] wrote: How about select username, password from dba_users; USERNAME PASSWORD -- SYSD4C5016086B2DC6A SYSTEM D4DF7931AB130E37 This is part of the becomeuser script where you can change and then reset the password for a user spool C:\reset.sql select ' alter user 1 identified by values ' |||| password||||' profile '||profile||';' from dba_users where username = upper ('1') ; spool off; bob You can't. faisal ahmad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password
The best defense is to lock the account if there are over x number of failed logon attempts. Then they have to guess in just a few tries. You can also reduce the change that it will work by enforcing password complexity. Or at least it would take a long time. Make sure people have a number and/or punctuation in their password, preferrable not the last character. It will also be much more difficult if the intruder doesn't know the usernames. Keith - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, December 17, 2002 12:14 PM oh this is very scary especially that price did you try out the demo? I'm still in catch-up, deal with crises mode so I haven't had a chance Rachel --- [EMAIL PROTECTED] wrote: Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader of this message is not the intended
RE: password
It's brute force attack,and relies on a dictionary. Only weak passwords will be cracked, like common words etc. I don't think you need to worry at all if you enforce passwords that must contain numeric besides characters etc. Richard Ji -Original Message- Sent: Tuesday, December 17, 2002 1:14 PM To: Multiple recipients of list ORACLE-L oh this is very scary especially that price did you try out the demo? I'm still in catch-up, deal with crises mode so I haven't had a chance Rachel --- [EMAIL PROTECTED] wrote: Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Richard Ji INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line
RE: password
Ari, If the algorithm is any good, the cracker should find SHO3LAC3, as that is a weak password. Unix crackers would pick this up. Jared Ari Kaplan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:44 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password This program does not reverse-engineer or decrypt Oracle passwords. It does a dictionary forward brute-force hack. So, if the user's password is not in the list of pre-defined words then the password is never revealed. This just encourages DBAs to enforce password management. See the verify_function for password management in Oracle for details. For example, setting your password to SHOELACE would be detected by this program, as it is in the English dictionary. SH03LAC3 would not. Basic rules of having a combination of characters, numbers, and punctuation marks, and not writing your password on a slip of paper by your monitor, all lead to a safe environment. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 12:14 PM To: Multiple recipients of list ORACLE-L oh this is very scary especially that price did you try out the demo? I'm still in catch-up, deal with crises mode so I haven't had a chance Rachel --- [EMAIL PROTECTED] wrote: Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionary -Original Message- Sent: terga-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terga-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Exploit is, I believe, the proper term. http://www.tuxedo.org/~esr/jargon/html/entry/exploit.html ~brian -Original Message- Sent: Tuesday, December 17, 2002 12:29 PM To: Multiple recipients of list ORACLE-L I don't know if 'crack' is the right word. It just tries words from the dictionary until it finds one that encrypts to the same value. Keith - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, December 17, 2002 11:09 AM Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Brian Dunbar INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Yes, it's a dictionary based cracker. Could be useful for checking for weak passwords. For $4, I'm going to see what it does. :) Jared John Kanagaraj [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:08 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
I don't think the x failed attempts lock will do anything. Because in this case they are not brute forcing it by trying to log in. It assumes you have access to the one-way encrypted(hashed) passwords and brute force on that. Just like you got hold of the /etc/shadow file on Unix and run cracker jack to brute force attack it. So you do need to get hold of the file first which could be a tricky part. -Original Message- Sent: Tuesday, December 17, 2002 2:16 PM To: Multiple recipients of list ORACLE-L it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Richard Ji INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
OK...then put in some punctuation marks SH03LAC3#JAREDFORPRESIDENT!209 is probably safer ;) -Ari -Original Message- Sent: Tuesday, December 17, 2002 1:29 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Ari, If the algorithm is any good, the cracker should find SHO3LAC3, as that is a weak password. Unix crackers would pick this up. Jared Ari Kaplan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:44 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password This program does not reverse-engineer or decrypt Oracle passwords. It does a dictionary forward brute-force hack. So, if the user's password is not in the list of pre-defined words then the password is never revealed. This just encourages DBAs to enforce password management. See the verify_function for password management in Oracle for details. For example, setting your password to SHOELACE would be detected by this program, as it is in the English dictionary. SH03LAC3 would not. Basic rules of having a combination of characters, numbers, and punctuation marks, and not writing your password on a slip of paper by your monitor, all lead to a safe environment. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 12:14 PM To: Multiple recipients of list ORACLE-L oh this is very scary especially that price did you try out the demo? I'm still in catch-up, deal with crises mode so I haven't had a chance Rachel --- [EMAIL PROTECTED] wrote: Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionary -Original Message- Sent: terga-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terga-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
you mean I am supposed to take down all those post-it notes? Darn! --- Ari Kaplan [EMAIL PROTECTED] wrote: This program does not reverse-engineer or decrypt Oracle passwords. It does a dictionary forward brute-force hack. So, if the user's password is not in the list of pre-defined words then the password is never revealed. This just encourages DBAs to enforce password management. See the verify_function for password management in Oracle for details. For example, setting your password to SHOELACE would be detected by this program, as it is in the English dictionary. SH03LAC3 would not. Basic rules of having a combination of characters, numbers, and punctuation marks, and not writing your password on a slip of paper by your monitor, all lead to a safe environment. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 12:14 PM To: Multiple recipients of list ORACLE-L oh this is very scary especially that price did you try out the demo? I'm still in catch-up, deal with crises mode so I haven't had a chance Rachel --- [EMAIL PROTECTED] wrote: Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionary -Original Message- Sent: terga-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terga-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
I used to work as a Unix security admin and would frequently run password cracking programs against our password files. We found that the really weak passwords were found in the first 5 minutes, ones derived from info in the gecos fields. Better ones, using number/letter substitutions in common dictionary words, would be found in the next day or so. We stopped running after 48 hours. We never found that brute force iteration was worthwhile. Consider the following if you are thinking of using a totally brute force approach and trying all possible combinations. I needed a break this afternoon... Assumptions: All passwords are 6 characters long and all characters are upper case. There are 6^26=170,581,728,179,578,208,256 possible passwords If you can attack 100,000,000 passwords per second you will need (6^26)/100,000,000 = 1,705,817,281,795 seconds. 1,705,817,281,795s * 1h/3600s = 473,838,133 hours 473,838,133,832h * 1d/24h = 19,743,255 days 19,743,255,576d * 1y/365d = 54,091 years If we add the condition that passwords can be upper and lower case then there are 6^26 possible passwords and the time to attack all possible combinations becomes: 9.226E24 years. Back to work now :) -- Paul -Original Message- Waleed Sent: Tuesday, December 17, 2002 2:16 PM To: Multiple recipients of list ORACLE-L It's one way encryption. So you can loop on all the permutation for AA to ZZ and apply the encryption code and compare the output to the dictionary content. If it matches, then you got the password. I thought about doing this five years ago, but decided against it. I thought I will be under the hackers, virus developers groups. Regards, Waleed -Original Message- Sent: Tuesday, December 17, 2002 12:04 PM To: Multiple recipients of list ORACLE-L How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Khedr, Waleed INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Paul Heely INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services
RE: password
Yes that's rite I cant use D4C5016086B2DC6A as the password But... I can SQL alter user bob identified by newpassword ; Log on as bob and make any changes I want then... SQL Update dba_users set password = 'D4C5016086B2DC6A' where user = bob ; Bob doen not know his account has been modified I know that's not what he asked but... I havent threw in my 2cts in a while ;- And this could prove useful from time to time bob Yes, but that is not what he asked. Try logging in with the value from dba_users. ;) Jared Bob Metelsky [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:14 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password How about select username, password from dba_users; USERNAME PASSWORD -- SYSD4C5016086B2DC6A SYSTEM D4DF7931AB130E37 This is part of the becomeuser script where you can change and then reset the password for a user spool C:\reset.sql select ' alter user 1 identified by values ' |||| password||||' profile '||profile||';' from dba_users where username = upper ('1') ; spool off; bob You can't. faisal ahmad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
on a TEST database go ahead and try that you can't update dba_users that way --- Bob Metelsky [EMAIL PROTECTED] wrote: Yes that's rite I cant use D4C5016086B2DC6A as the password But... I can SQL alter user bob identified by newpassword ; Log on as bob and make any changes I want then... SQL Update dba_users set password = 'D4C5016086B2DC6A' where user = bob ; Bob doen not know his account has been modified I know that's not what he asked but... I havent threw in my 2cts in a while ;- And this could prove useful from time to time bob Yes, but that is not what he asked. Try logging in with the value from dba_users. ;) Jared Bob Metelsky [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:14 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password How about select username, password from dba_users; USERNAME PASSWORD -- SYSD4C5016086B2DC6A SYSTEM D4DF7931AB130E37 This is part of the becomeuser script where you can change and then reset the password for a user spool C:\reset.sql select ' alter user 1 identified by values ' |||| password||||' profile '||profile||';' from dba_users where username = upper ('1') ; spool off; bob You can't. faisal ahmad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Its not an update of dba_users. Its an Alter user identified by values OldPassword, which is also what an export/import uses. Raj Bob MetelskyTo: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] bmetelsky@cpcc: s92.com Subject: RE: password Sent by: root@fatcity. com December 17, 2002 03:35 PM Please respond to ORACLE-L Yes that's rite I cant use D4C5016086B2DC6A as the password But... I can SQL alter user bob identified by newpassword ; Log on as bob and make any changes I want then... SQL Update dba_users set password = 'D4C5016086B2DC6A' where user = bob ; Bob doen not know his account has been modified I know that's not what he asked but... I havent threw in my 2cts in a while ;- And this could prove useful from time to time bob Yes, but that is not what he asked. Try logging in with the value from dba_users. ;) Jared Bob Metelsky [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:14 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password How about select username, password from dba_users; USERNAME PASSWORD -- SYSD4C5016086B2DC6A SYSTEM D4DF7931AB130E37 This is part of the becomeuser script where you can change and then reset the password for a user spool C:\reset.sql select ' alter user 1 identified by values ' |||| password||||' profile '||profile||';' from dba_users where username = upper ('1') ; spool off; bob You can't. faisal ahmad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
I think it's 26^6 There is a big difference between 26^6 and 6^26 let's keep the fun :) Waleed -Original Message- Sent: Tuesday, December 17, 2002 3:20 PM To: Multiple recipients of list ORACLE-L I used to work as a Unix security admin and would frequently run password cracking programs against our password files. We found that the really weak passwords were found in the first 5 minutes, ones derived from info in the gecos fields. Better ones, using number/letter substitutions in common dictionary words, would be found in the next day or so. We stopped running after 48 hours. We never found that brute force iteration was worthwhile. Consider the following if you are thinking of using a totally brute force approach and trying all possible combinations. I needed a break this afternoon... Assumptions: All passwords are 6 characters long and all characters are upper case. There are 6^26=170,581,728,179,578,208,256 possible passwords If you can attack 100,000,000 passwords per second you will need (6^26)/100,000,000 = 1,705,817,281,795 seconds. 1,705,817,281,795s * 1h/3600s = 473,838,133 hours 473,838,133,832h * 1d/24h = 19,743,255 days 19,743,255,576d * 1y/365d = 54,091 years If we add the condition that passwords can be upper and lower case then there are 6^26 possible passwords and the time to attack all possible combinations becomes: 9.226E24 years. Back to work now :) -- Paul -Original Message- Waleed Sent: Tuesday, December 17, 2002 2:16 PM To: Multiple recipients of list ORACLE-L It's one way encryption. So you can loop on all the permutation for AA to ZZ and apply the encryption code and compare the output to the dictionary content. If it matches, then you got the password. I thought about doing this five years ago, but decided against it. I thought I will be under the hackers, virus developers groups. Regards, Waleed -Original Message- Sent: Tuesday, December 17, 2002 12:04 PM To: Multiple recipients of list ORACLE-L How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Khedr, Waleed INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com
RE: password
Does CHANGE_ON_INSTALL have the same hash value for every version and every instance? Yes, it does. Check: http://www.pentest-limited.com/default-user.htm This is a pentest list of default Oracle passwords. I've used this to create a perl script that checks for default passwords. It doesn't matter which version of Oracle. Jared Jesse, Rich [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 11:03 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Interesting. Does CHANGE_ON_INSTALL have the same hash value for every version and every instance? Not being much of a hacker (anymore) I would think that with only one algorithm and several known passwords (you can generate them yourself), this wouldn't be much of a challenge to real hackers. Hell, the client encrypts it to send to the server, right? That code could be reverse engineered, too. BTW, VMS has many algorithms in play to help prevent such an attack on it's passwords. plug plug Oh to have the spare time of a 15-year old again... :) Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -Original Message- From: Ruth Gramolini [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 12:39 PM To: Multiple recipients of list ORACLE-L Subject: Re: password Wrong, I took my first Oracle class with a woman who had cracked the algorithm. At the time, I didn't know enough to ask her for it. Ruth - Original Message - To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Sent: Tuesday, December 17, 2002 12:04 PM How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Don't think the db name plays a role in this. But the username does. i.e. user1, user2 share the same password and the hash comes out different. but user1 from two different database share the same password and the hash comes out the same. Richard Ji -Original Message- Sent: Tuesday, December 17, 2002 3:15 PM To: Multiple recipients of list ORACLE-L how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. --- Ari Kaplan [EMAIL PROTECTED] wrote: This program allows you to attemp password guesses on a different database. So, the program gets around the x invalid tries and the account locks by enabling the user to try passwords on their own private database. That's what their documentation said, anyway. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 1:16 PM To: Multiple recipients of list ORACLE-L it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services
RE: password
UGH! Should have been 26^6 possible passwords NOT 6^26! So... Ignore my previous math. Have to go now. Hanging head in mathematical shame. Correct times for all uppercase: 3 seconds Correct times for upper and lower: 3.2 minutes Now if I can only find the machine to do 100,000,000 attacks/s. -- Paul -Original Message- Sent: Tuesday, December 17, 2002 3:20 PM To: Multiple recipients of list ORACLE-L I used to work as a Unix security admin and would frequently run password cracking programs against our password files. We found that the really weak passwords were found in the first 5 minutes, ones derived from info in the gecos fields. Better ones, using number/letter substitutions in common dictionary words, would be found in the next day or so. We stopped running after 48 hours. We never found that brute force iteration was worthwhile. Consider the following if you are thinking of using a totally brute force approach and trying all possible combinations. I needed a break this afternoon... Assumptions: All passwords are 6 characters long and all characters are upper case. There are 6^26=170,581,728,179,578,208,256 possible passwords If you can attack 100,000,000 passwords per second you will need (6^26)/100,000,000 = 1,705,817,281,795 seconds. 1,705,817,281,795s * 1h/3600s = 473,838,133 hours 473,838,133,832h * 1d/24h = 19,743,255 days 19,743,255,576d * 1y/365d = 54,091 years If we add the condition that passwords can be upper and lower case then there are 6^26 possible passwords and the time to attack all possible combinations becomes: 9.226E24 years. Back to work now :) -- Paul -Original Message- Waleed Sent: Tuesday, December 17, 2002 2:16 PM To: Multiple recipients of list ORACLE-L It's one way encryption. So you can loop on all the permutation for AA to ZZ and apply the encryption code and compare the output to the dictionary content. If it matches, then you got the password. I thought about doing this five years ago, but decided against it. I thought I will be under the hackers, virus developers groups. Regards, Waleed -Original Message- Sent: Tuesday, December 17, 2002 12:04 PM To: Multiple recipients of list ORACLE-L How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Khedr, Waleed INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB
Re: password
Rachel Carmichael wrote: how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. Rachel, This is probably wrong, otherwise you would have to reinitiate passwords each time you do a full import (which recreates the users with 'IDENTIFIED BY VALUES' - eg reloads the crypted password as is) or clone a database. What it depends on for sure is the username and/or user#, because the same password given to different users hashes into something different. More likely to be the user#, I _think_ that I remember that if you drop a user and recreate the account with the same password, the resulting encrypted password is different. -- Regards, Stephane Faroult Oriole Software -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
No, it isn't. A password hashes the same regardless of version or database name. The username though, *is* used as a salt for the hash, which is probably what he told you. create user t1 identified by testp; create user t2 identified by testp; select username, password from dba_users where username in ('T1','T2'); USERNAME PASSWORD -- -- T2 BAE5ACFD7312C539 T1 CE0DA0802E1EA0F6 Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 12:14 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. --- Ari Kaplan [EMAIL PROTECTED] wrote: This program allows you to attemp password guesses on a different database. So, the program gets around the x invalid tries and the account locks by enabling the user to try passwords on their own private database. That's what their documentation said, anyway. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 1:16 PM To: Multiple recipients of list ORACLE-L it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up
RE: password
Unfortunately, Bob will know because he won't be able to login anymore after the changes. The password has now changed to 'D4C5016086B2DC6A'. Perhaps you're looking for the BY VALUES clause? Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -Original Message- From: Bob Metelsky [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 2:36 PM To: Multiple recipients of list ORACLE-L Subject: RE: password Yes that's rite I cant use D4C5016086B2DC6A as the password But... I can SQL alter user bob identified by newpassword ; Log on as bob and make any changes I want then... SQL Update dba_users set password = 'D4C5016086B2DC6A' where user = bob ; Bob doen not know his account has been modified I know that's not what he asked but... I havent threw in my 2cts in a while ;- And this could prove useful from time to time bob -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Yes sigh your correct... I should have tested that before posting What I ment was something like this From dbahandbook pg 418 Becomeuser.sql set pagesize 0 feedback off verify off echo off term out off spool C:\reset.sql select ' alter user 1 identified by values ' |||| password||||' profile '||profile||';' from dba_users where username = upper ('1') ; spool off; C:\reset.sql alter user someuser identified by values '48D0175ECBDE45B0' profile DEFAULT; I was thinking about one of our user tables bob on a TEST database go ahead and try that you can't update dba_users that way --- Bob Metelsky [EMAIL PROTECTED] wrote: Yes that's rite I cant use D4C5016086B2DC6A as the password But... I can SQL alter user bob identified by newpassword ; Log on as bob and make any changes I want then... SQL Update dba_users set password = 'D4C5016086B2DC6A' where user = bob ; Bob doen not know his account has been modified I know that's not what he asked but... I havent threw in my 2cts in a while ;- And this could prove useful from time to time bob Yes, but that is not what he asked. Try logging in with the value from dba_users. ;) Jared Bob Metelsky [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:14 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password How about select username, password from dba_users; USERNAME PASSWORD -- SYSD4C5016086B2DC6A SYSTEM D4DF7931AB130E37 This is part of the becomeuser script where you can change and then reset the password for a user spool C:\reset.sql select ' alter user 1 identified by values ' |||| password||||' profile '||profile||';' from dba_users where username = upper ('1') ; spool off; bob You can't. faisal ahmad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San
RE: password
Well, that's the default password. Is the *hash* the same, though? Someone had mentioned that they thought it was DB-dependant. That can't be, since I can copy a DB, change the name, and fire it up without changing the password. Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 3:01 PM To: [EMAIL PROTECTED] Cc: Jesse, Rich Subject: RE: password Does CHANGE_ON_INSTALL have the same hash value for every version and every instance? Yes, it does. Check: http://www.pentest-limited.com/default-user.htm This is a pentest list of default Oracle passwords. I've used this to create a perl script that checks for default passwords. It doesn't matter which version of Oracle. Jared Jesse, Rich [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 11:03 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Interesting. Does CHANGE_ON_INSTALL have the same hash value for every version and every instance? Not being much of a hacker (anymore) I would think that with only one algorithm and several known passwords (you can generate them yourself), this wouldn't be much of a challenge to real hackers. Hell, the client encrypts it to send to the server, right? That code could be reverse engineered, too. BTW, VMS has many algorithms in play to help prevent such an attack on it's passwords. plug plug Oh to have the spare time of a 15-year old again... :) Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Terrible Homer Simpson impression MMM...hash...salt... -Original Message- Sent: Tuesday, December 17, 2002 2:19 PM To: Multiple recipients of list ORACLE-L No, it isn't. A password hashes the same regardless of version or database name. The username though, *is* used as a salt for the hash, which is probably what he told you. create user t1 identified by testp; create user t2 identified by testp; select username, password from dba_users where username in ('T1','T2'); USERNAME PASSWORD -- -- T2 BAE5ACFD7312C539 T1 CE0DA0802E1EA0F6 Jared Rachel Carmichael [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 12:14 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. --- Ari Kaplan [EMAIL PROTECTED] wrote: This program allows you to attemp password guesses on a different database. So, the program gets around the x invalid tries and the account locks by enabling the user to try passwords on their own private database. That's what their documentation said, anyway. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 1:16 PM To: Multiple recipients of list ORACLE-L it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP
RE: password
Title: RE: password I created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- From: Rachel Carmichael [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 3:15 PM To: Multiple recipients of list ORACLE-L Subject: RE: password how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. --- Ari Kaplan [EMAIL PROTECTED] wrote: This program allows you to attemp password guesses on a different database. So, the program gets around the x invalid tries and the account locks by enabling the user to try passwords on their own private database. That's what their documentation said, anyway. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 1:16 PM To: Multiple recipients of list ORACLE-L it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538
Re: password
Stephane, No I tried dropping a user and recreating them just a few minutes ago - the hash is the same. So it depends on username but not Oracle SID or physical host. Cheers, Mark. Stephane Faroult To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] sfaroult@orio cc: le.com Subject: Re: password Sent by: [EMAIL PROTECTED] om 18/12/2002 08:19 Please respond to ORACLE-L Rachel Carmichael wrote: how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. Rachel, This is probably wrong, otherwise you would have to reinitiate passwords each time you do a full import (which recreates the users with 'IDENTIFIED BY VALUES' - eg reloads the crypted password as is) or clone a database. What it depends on for sure is the username and/or user#, because the same password given to different users hashes into something different. More likely to be the user#, I _think_ that I remember that if you drop a user and recreate the account with the same password, the resulting encrypted password is different. -- Regards, Stephane Faroult Oriole Software -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephane Faroult INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Privileged/Confidential information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail or by telephone on (61 3) 9612-6999. Please advise immediately if you or your employer does not consent to Internet e-mail for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Transurban City Link Ltd shall be understood as neither given nor endorsed by it. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Richard INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command
RE: password
Title: RE: password This works too A password calculator http://lastbit.com/pswcalc.asp -Original Message- From: Paul Heely [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 4:19 PM To: Multiple recipients of list ORACLE-L Subject: RE: password UGH! Should have been 26^6 possible passwords NOT 6^26! So... Ignore my previous math. Have to go now. Hanging head in mathematical shame. Correct times for all uppercase: 3 seconds Correct times for upper and lower: 3.2 minutes Now if I can only find the machine to do 100,000,000 attacks/s. -- Paul -Original Message- Sent: Tuesday, December 17, 2002 3:20 PM To: Multiple recipients of list ORACLE-L I used to work as a Unix security admin and would frequently run password cracking programs against our password files. We found that the really weak passwords were found in the first 5 minutes, ones derived from info in the gecos fields. Better ones, using number/letter substitutions in common dictionary words, would be found in the next day or so. We stopped running after 48 hours. We never found that brute force iteration was worthwhile. Consider the following if you are thinking of using a totally brute force approach and trying all possible combinations. I needed a break this afternoon... Assumptions: All passwords are 6 characters long and all characters are upper case. There are 6^26=170,581,728,179,578,208,256 possible passwords If you can attack 100,000,000 passwords per second you will need (6^26)/100,000,000 = 1,705,817,281,795 seconds. 1,705,817,281,795s * 1h/3600s = 473,838,133 hours 473,838,133,832h * 1d/24h = 19,743,255 days 19,743,255,576d * 1y/365d = 54,091 years If we add the condition that passwords can be upper and lower case then there are 6^26 possible passwords and the time to attack all possible combinations becomes: 9.226E24 years. Back to work now :) -- Paul -Original Message- Waleed Sent: Tuesday, December 17, 2002 2:16 PM To: Multiple recipients of list ORACLE-L It's one way encryption. So you can loop on all the permutation for AA to ZZ and apply the encryption code and compare the output to the dictionary content. If it matches, then you got the password. I thought about doing this five years ago, but decided against it. I thought I will be under the hackers, virus developers groups. Regards, Waleed -Original Message- Sent: Tuesday, December 17, 2002 12:04 PM To: Multiple recipients of list ORACLE-L How, Oracle does not publish the password encryption algorithm, and I don't believe anyone has cracked it. Jared Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 04:38 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject: RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Khedr, Waleed INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services
RE: password
I suppose I should have included that I tested this on 8.1.7.4.0 on HP/UX and 8.0.5.0.1 on OpenVMS, and the same passwords hash to the same values in each. I wonder if it's different for other versions. 7? 9? 10??? :) Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -Original Message- From: Jesse, Rich Sent: Tuesday, December 17, 2002 3:31 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: password Well, that's the default password. Is the *hash* the same, though? Someone had mentioned that they thought it was DB-dependant. That can't be, since I can copy a DB, change the name, and fire it up without changing the password. Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 3:01 PM To: [EMAIL PROTECTED] Cc: Jesse, Rich Subject: RE: password Does CHANGE_ON_INSTALL have the same hash value for every version and every instance? Yes, it does. Check: http://www.pentest-limited.com/default-user.htm This is a pentest list of default Oracle passwords. I've used this to create a perl script that checks for default passwords. It doesn't matter which version of Oracle. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Yes, the hash is the same. That's what is listed at the pentest URL. Jared Jesse, Rich [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 01:30 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Well, that's the default password. Is the *hash* the same, though? Someone had mentioned that they thought it was DB-dependant. That can't be, since I can copy a DB, change the name, and fire it up without changing the password. Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 3:01 PM To: [EMAIL PROTECTED] Cc: Jesse, Rich Subject: RE: password Does CHANGE_ON_INSTALL have the same hash value for every version and every instance? Yes, it does. Check: http://www.pentest-limited.com/default-user.htm This is a pentest list of default Oracle passwords. I've used this to create a perl script that checks for default passwords. It doesn't matter which version of Oracle. Jared Jesse, Rich [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 11:03 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Interesting. Does CHANGE_ON_INSTALL have the same hash value for every version and every instance? Not being much of a hacker (anymore) I would think that with only one algorithm and several known passwords (you can generate them yourself), this wouldn't be much of a challenge to real hackers. Hell, the client encrypts it to send to the server, right? That code could be reverse engineered, too. BTW, VMS has many algorithms in play to help prevent such an attack on it's passwords. plug plug Oh to have the spare time of a 15-year old again... :) Rich Rich Jesse System/Database Administrator [EMAIL PROTECTED] Quad/Tech International, Sussex, WI USA -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Jesse, Rich INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
I've tested this on versions 7 - 9. Version and platform do not matter. Hash is determined by username and password. Jared david hill [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 01:26 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password I created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- Sent: Tuesday, December 17, 2002 3:15 PM To: Multiple recipients of list ORACLE-L how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. --- Ari Kaplan [EMAIL PROTECTED] wrote: This program allows you to attemp password guesses on a different database. So, the program gets around the x invalid tries and the account locks by enabling the user to try passwords on their own private database. That's what their documentation said, anyway. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 1:16 PM To: Multiple recipients of list ORACLE-L it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list
RE: password
Yes, but that is not what he asked. Try logging in with the value from dba_users. ;) Jared Bob Metelsky [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 10:14 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password How about select username, password from dba_users; USERNAME PASSWORD -- SYSD4C5016086B2DC6A SYSTEM D4DF7931AB130E37 This is part of the becomeuser script where you can change and then reset the password for a user spool C:\reset.sql select ' alter user 1 identified by values ' |||| password||||' profile '||profile||';' from dba_users where username = upper ('1') ; spool off; bob You can't. faisal ahmad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:password how can a dba see the password of a user. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bob Metelsky INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Title: Message created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- on my db LTRACK1 SQL select password from dba_users where username = 'TEST'; PASSWORD--7A0F2B316C212D67 bob
RE: password
It has to be this way to guarantee the backward/forward compatibility of Oracle export files. Regards, Waleed -Original Message- Sent: Tuesday, December 17, 2002 5:22 PM To: Multiple recipients of list ORACLE-L I've tested this on versions 7 - 9. Version and platform do not matter. Hash is determined by username and password. Jared david hill [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 01:26 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password I created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- Sent: Tuesday, December 17, 2002 3:15 PM To: Multiple recipients of list ORACLE-L how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. --- Ari Kaplan [EMAIL PROTECTED] wrote: This program allows you to attemp password guesses on a different database. So, the program gets around the x invalid tries and the account locks by enabling the user to try passwords on their own private database. That's what their documentation said, anyway. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 1:16 PM To: Multiple recipients of list ORACLE-L it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ari Kaplan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services
RE: password
Also should be machine/OS/database_release independent for the same reason. (username encrypted password are hardcoded in the export file, and they get cloned exactly during the import. So the algorithm has to be unique and consistent. Waleed -Original Message- Sent: Tuesday, December 17, 2002 5:47 PM To: '[EMAIL PROTECTED]' It has to be this way to guarantee the backward/forward compatibility of Oracle export files. Regards, Waleed -Original Message- Sent: Tuesday, December 17, 2002 5:22 PM To: Multiple recipients of list ORACLE-L I've tested this on versions 7 - 9. Version and platform do not matter. Hash is determined by username and password. Jared david hill [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 01:26 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password I created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- Sent: Tuesday, December 17, 2002 3:15 PM To: Multiple recipients of list ORACLE-L how does trying a password on your own private database help crack a password on a different database? I vaguely recall a conversation (I *think* it was with Kevin Loney) that part of the encryption key is the database name as well. --- Ari Kaplan [EMAIL PROTECTED] wrote: This program allows you to attemp password guesses on a different database. So, the program gets around the x invalid tries and the account locks by enabling the user to try passwords on their own private database. That's what their documentation said, anyway. -Ari -Original Message- Carmichael Sent: Tuesday, December 17, 2002 1:16 PM To: Multiple recipients of list ORACLE-L it's definitely a one-way encryption on the password, I forget where I read it but I do know that's true. I think that in addition to a strong password, if you lock an account after x failed attempts then they'd have to be REALLY lucky to guess it on the first few tries. Rachel --- John Kanagaraj [EMAIL PROTECTED] wrote: Jared, This seems to be a 'brute force' dictionary based attack, as I believe the Oracle password is a one-way trapdoor (just as UNIX). I don't think this will be able to crack a strong password created from say a combination of the first characters of an arbitrary sentence. John Kanagaraj Oracle Applications DBA DBSoft Inc (W): 408-970-7002 So WHO is the Reason for the Season?! Write me for details! ** The opinions and statements above are entirely my own and not those of my employer or clients ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 9:09 AM To: Multiple recipients of list ORACLE-L Subject: RE: password Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: John Kanagaraj INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing
RE: password
I tried the download in a 9.2 Sun O/S database. didn't work. even after I entered the password for the account I was testing in the words table. -Original Message- Sent: Tuesday, December 17, 2002 12:09 PM To: Multiple recipients of list ORACLE-L Hmm... Well maybe you *can* crack oracle passwords. I've just ordered the full version of this product. ( $4, I don't think I need to bother the purchasing department ). I'll let you know how it works. Jared Mark Leith [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/2002 06:23 AM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password Yes, you can do this, but it still doesn't tell you the users *current* password does it? Has anyone tried: http://home.earthlink.net/~adamshalon/oracle_password_cracker/ ? Mark -Original Message- Sent: 17 December 2002 13:59 To: Multiple recipients of list ORACLE-L And you can use it to change it to your convenience and later get this encrypted password IN without the knowledge of the user.. Regards Jai Paulo Gomes [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/17/02 06:08 PM Please respond to ORACLE-L To:Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Subject:RE: password nope u can get the encripted password from the oracle dictionáry -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 11:34 To: Multiple recipients of list ORACLE-L Check the post-it note on their monitor? :) -Original Message- Sent: 17 December 2002 10:55 To: Multiple recipients of list ORACLE-L he can't but he can change it to a new one and then put the old back on -Original Message- Sent: terça-feira, 17 de Dezembro de 2002 4:09 To: Multiple recipients of list ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mercadante, Thomas F INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password
Title: Message SQL*Plus: Release 9.2.0.2.0 - Production on Tue Dec 17 17:19:55 2002 Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved. Connected to: Oracle9i Enterprise Edition Release 9.2.0.2.0 - Production With the Partitioning, OLAP and Oracle Data Mining options JServer Release 9.2.0.2.0 - Production SQL create user test identified by test; User created. SQL select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 SQL -Original Message-From: Bob Metelsky [mailto:[EMAIL PROTECTED]]Sent: Tuesday, December 17, 2002 2:26 PMTo: Multiple recipients of list ORACLE-LSubject: RE: password created a user test identified by test on 2 separate systems in db's with different names The password value was the same Can someone verify if it is the same on their system Create user test identified by test; select password from dba_users where username = 'TEST'; PASSWORD -- 7A0F2B316C212D67 -Original Message- on my db LTRACK1 SQL select password from dba_users where username = 'TEST'; PASSWORD--7A0F2B316C212D67 bob
Re: password
quistion is this that how can dba see a user,s password in readable outputt. i mean if password is "tiger" it should be seen as "tiger" From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: password Date: Tue, 17 Dec 2002 08:46:13 -0800 You can't. "faisal ahmad" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 12/16/2002 08:09 PM Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> cc: Subject: password how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Add photos to your e-mail with MSN 8. Get 2 months FREE*. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password
Walk over to their desk and look for post-it notes attached to the monitor. Failing that you probably have to ask them. As I understand it, you cannot reverse-engineer a password from within Oracle. The common workaround scripts available store the encrypted password in a temporary table, change the password, let you connect and then copy the encrypted password back when complete. This might be ok depending on what you need to do. But why would you need their password anyway? faisal ahmad faisalahmad4u@ho To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] tmail.com cc: Sent by:Subject: password [EMAIL PROTECTED] 17/12/2002 15:09 Please respond to ORACLE-L how can a dba see the password of a user. The new MSN 8: smart spam protection and 2 months FREE* -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: faisal ahmad INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Privileged/Confidential information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail or by telephone on (61 3) 9612-6999. Please advise immediately if you or your employer does not consent to Internet e-mail for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Transurban City Link Ltd shall be understood as neither given nor endorsed by it. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mark Richard INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password Generator...
Title: RE: Password Generator... We use this ... PROCEDURE Generate ( USERID VARCHAR2 ) IS newpass VARCHAR2(20); dbname VARCHAR2(10); /* connect system grant execute on admin_passwd to sys; create synonym sys.admin_passwd for system.admin_passwd; */ BEGIN DBMS_OUTPUT.ENABLE(10); newpass := dbms_random.string('U',4)||TO_CHAR(SYSDATE,'SS')||DBMS_RANDOM.STRING('U',2); EXECUTE IMMEDIATE 'alter user '||USERID||' identified by '||newpass; SELECT NAME INTO dbname FROM v$database; UPDATE tcs.system_users SET password_update_date=TRUNC(SYSDATE) WHERE su_sys_user_name=USERID; DBMS_OUTPUT.PUT_LINE('The new password for '||USERID||' is '||newpass||' in the '||dbname||' database.'); EXECUTE IMMEDIATE 'alter user '||USERID||' password expire'; EXECUTE IMMEDIATE 'alter user '||USERID||' account unlock'; EXCEPTION WHEN NO_DATA_FOUND THEN NULL; WHEN OTHERS THEN -- Consider logging the error and then re-raise RAISE; END generate; this is inside a package which is propogated to all DB's ... the system_users is an application table. Raj __ Rajendra Jamadagni MIS, ESPN Inc. Rajendra dot Jamadagni at ESPN dot com Any opinion expressed here is personal and doesn't reflect that of ESPN Inc. QOTD: Any clod can have facts, but having an opinion is an art! -Original Message- From: Loughmiller, Greg [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 21, 2002 11:39 AM To: Multiple recipients of list ORACLE-L Subject: OT: Password Generator... Hey folks- I have a question that was presented to me by a web development team.. Does anyone know of products,procedures,etc that would generate a random password for a user? For example-similar to that at MetaLink when you forget your password-and they send you a new one that is just a string of characters/numeric digits... Thanks! Greg Loughmiller Sr Manager - Enterprise Data Architecture gloughmiller (IPS) 678.893.3217 (office) This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you.*2
RE: Password Generator...
-Original Message- Does anyone know of products,procedures,etc that would generate a random password for a user? -- Bang on the computer keyboard with the palms of both hands and see what comes out. This random password generator has been around for a long time; and it's free. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Stephen Lee INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Password is not case sensity and uncrypted
the password is not case-sensitive which table shows the password unencrypted? Not DBA_USERS, it's definitely encrypted in there, unless you created the account with quotes around the password, then it shows in plain text and the user won't be able to login in in any case. --- Nguyen, David M [EMAIL PROTECTED] wrote: Is password case-sensity in oracle database? And how do I encrypt it as it shows unencrypted in password field? Thanks, David -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Nguyen, David M INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do you Yahoo!? New DSL Internet Access from SBC Yahoo! http://sbc.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Rachel Carmichael INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password is not case sensity and uncrypted
Title: RE: Password is not case sensity and uncrypted AFAIK password is NOT case sensitive unless of course you enclose in double-quotes. Also dba_users shows encrypted password. What table are we taking here that shows plain text passwords? Is it an application table? Raj __ Rajendra Jamadagni MIS, ESPN Inc. Rajendra dot Jamadagni at ESPN dot com Any opinion expressed here is personal and doesn't reflect that of ESPN Inc. QOTD: Any clod can have facts, but having an opinion is an art! -Original Message- From: Nguyen, David M [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 1:48 PM To: Multiple recipients of list ORACLE-L Subject: Password is not case sensity and uncrypted Is password case-sensity in oracle database? And how do I encrypt it as it shows unencrypted in password field? Thanks, David -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Nguyen, David M INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). *This e-mail message is confidential, intended only for the named recipient(s) above and may contain information that is privileged, attorney work product or exempt from disclosure under applicable law. If you have received this message in error, or are not the named recipient(s), please immediately notify corporate MIS at (860) 766-2000 and delete this e-mail message from your computer, Thank you.*1
RE: Password is not case sensity and uncrypted
There are certain rules Oracle uses for its names, one of which is that names are case insensitive. Password falls under these rules. That said, you can override these rules by enclosing the password in quotation marks (just as you could do the same for a table). So SQL alter user myuser identified by CaseSenSitIve will store the password in a case-sensitive manner. But then you must use quotation marks when connecting as well, e.g., $ sqlplus myuser/CaseSenSitIve And I'm not sure this will work across platforms. A Metalink note (61424.999) on this topic indicates that UNIX seems to support case-sensitive passwords, while Windows does not. About encryption, typically Oracle stores passwords in an encrypted format by default. Adam -Original Message- Sent: Friday, October 04, 2002 1:48 PM To: Multiple recipients of list ORACLE-L Is password case-sensity in oracle database? And how do I encrypt it as it shows unencrypted in password field? Thanks, David -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Nguyen, David M INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Donahue, Adam INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password aging and expiration in oracle 8.1.7
Title: RE: How to notify the password expiration in oracle? The 8.7.1 SQL*Plus does not handle ORA-28002 warnings when connecting to an 8.1.7 database account that is in the grace period (dba_users.account_status = 'EXPIRED(GRACE)'). It is listed as BUG# 1326865 on MetaLink, with a patchset available for various OS platforms. Including mine! (I almost never get bug fixes on UnixWare 7). I also found that some third party software had the same bug while others didn't (like TOAD). --Philip DouglassInternet Networking GroupDatabase AdministratorSIRS Mandarin, Inc. - Original Message - From: Mandal, Ashoke To: Multiple recipients of list ORACLE-L Sent: Tuesday, August 27, 2002 7:10 PM Subject: password aging and expiration in oracle 8.1.7 Hi All, I am trying to implement the password aging and expiration. The password for some of the users have expired on August 23, 2002. When I try to login it does not give any warning. Only thing I observed that the account_status was changed from OPEN to EXPIRED(GRACE) during my first attempt to login. Could any of you explain me, why the warning message is not appearing when I attempt to login during the grace period. Am I missing something. Following email from Richard explains how should it work. Thanks, Ashoke -Original Message-From: Richard Huntley [mailto:[EMAIL PROTECTED]]Sent: Monday, July 22, 2002 3:59 PMTo: Multiple recipients of list ORACLE-LSubject: RE: How to notify the password expiration in oracle? From the 8i docs: Password Aging and Expiration DBAs use the CREATE PROFILE statement to specify a maximum lifetime for passwords. When the specified amount of time passes and the password expires, the user or DBA must change the password. The following statement indicates that ASHWINI can use the same password for 90 days before it expires: CREATE PROFILE prof LIMIT FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 30 PASSWORD_LIFE_TIME 90; ALTER USER ashwini PROFILE prof; DBAs can also specify a grace period using the CREATE PROFILE statement. Users enter the grace period upon the first attempt to login to a database account after their password has expired. During the grace period, a warning message appears each time users try to log in to their accounts, and continues to appear until the grace period expires. Users must change the password within the grace period. If the password is not changed within the grace period, the account expires and no further logins to that account are allowed until the password is changed. Figure 22-2 shows the chronology of the password lifetime and grace period.
Re: password aging and expiration in oracle 8.1.7
If you are logging in via SQL Plus, ensure that set serveroutput on is set in your local glogin.sql file. If you are logging in via an application using JDBC or OCI, then the call must be made to with the ChangePassword Parameter. See the OCI and JDBC documentation for this information. Also, ensure that RESOURCE_LIMIT = TRUE in the init.ora file. I have implemented password aging and expiration and it works fine, just as intended. Which sometimes irks off the users. RWB Mandal, Ashoke [EMAIL PROTECTED]@fatcity.com on 08/27/2002 06:10:00 PM Please respond to [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: Hi All, I am trying to implement the password aging and expiration. The password for some of the users have expired on August 23, 2002. When I try to login it does not give any warning. Only thing I observed that the account_status was changed from OPEN to EXPIRED(GRACE) during my first attempt to login. Could any of you explain me, why the warning message is not appearing when I attempt to login during the grace period. Am I missing something. Following email from Richard explains how should it work. Thanks, Ashoke -Original Message- Sent: Monday, July 22, 2002 3:59 PM To: Multiple recipients of list ORACLE-L From the 8i docs: Password Aging and Expiration DBAs use the CREATE PROFILE statement to specify a maximum lifetime for passwords. When the specified amount of time passes and the password expires, the user or DBA must change the password. The following statement indicates that ASHWINI can use the same password for 90 days before it expires: CREATE PROFILE prof LIMIT FAILED_LOGIN_ATTEMPTS 4 PASSWORD_LOCK_TIME 30 PASSWORD_LIFE_TIME 90; ALTER USER ashwini PROFILE prof; DBAs can also specify a grace period using the CREATE PROFILE statement. Users enter the grace period upon the first attempt to login to a database account after their password has expired. During the grace period, a warning message appears each time users try to log in to their accounts, and continues to appear until the grace period expires. Users must change the password within the grace period. If the password is not changed within the grace period, the account expires and no further logins to that account are allowed until the password is changed. Figure 22-2 shows the chronology of the password lifetime and grace period. -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password question
Title: RE: password question Tough crowd. I never said it would be easy. Original question was just decrypting with the assumption that access to dba_users was given. Perhaps I should setup a test environment and sniff traffic going to port 1521 to see if usernames and hashes just happen to be on the wire. Of course Oracle Advanced Security uses another port and utilizes 3DES and MD5/SHA1 checksumming. I guess if you think about it some possibilites of cracked password use could be: 1. DBA leaves and then still has access even if related accounts removed. 2. If able to figure from export (as non-dba) audits of actions whether disruptive or stealing of information go to someone else. 3. If able to figure from export (again as non-dba) you then have access to actively changing data whereas the export is static. There are database scanners on the market for Oracle now that do test accounts against patterns. Yes, you do need to run them from a dba account. Jon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 22, 2002 2:33 AM To: Multiple recipients of list ORACLE-L Subject: RE: password question But where do you get the known or captured hash ? Only a DBA can query DBA_USERS for PASSWORD. A regular user cannot query DBA_USERS and cannot see PASSWORD in ALL_USERS. If you are already a DBA on the target database you really don't need to find out the password for another user. Supposing you grab a site's FULL Export dump. I guess you can then do a FULL Import and get the captured hash. But why do you need it now that you have the FULL Database with you anyway ? Hemant K Chitale Principal DBA Chartered Semiconductor Manufacturing Ltd Jon Baker [EMAIL PROTECTED] 22/02/2002 02:08 PM Sent by: [EMAIL PROTECTED] Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group) Subject: RE: password question One way hash, yes, but can use username to forceably crack the password (same idea as unix CRACK password cracking program). Hash is consistent which is why you can pick up the password string and drop it to another database (same username) and have the password work on the new machine. A non Oracle example would be to perform the following at the unix prompt: echo 'some test string' | md5 With the hash, you could create several variations and test against the known or 'captured' hash. Again, brute force method. Jon Baker Database Architect [EMAIL PROTECTED] www.netsec.net -Original Message- [mailto:[EMAIL PROTECTED]] Sent: Friday, February 22, 2002 12:18 AM To: Multiple recipients of list ORACLE-L Sameer, The obvious answer you can't decrypt the password. Else a number of people would think harder about buying Oracle. It's a one-way hash -- you can't get the original value back. It is possible to temporarily reset a user's password to something else, become the user with your own password and reset the password back to the original value, without knowing what the original password was. e.g. suppose a user's encrypted password string is 'ABCDEFGHIJKLMNOP', read this string from DBA_USERS, store it someplace (a variable, a table ;), execute ALTER USER username identified by mypassword, login as the user CONNECT username/mypassword, do your SQLs as that user, reset the user's password ALTER USER username identified by values 'ABCDEFGHIJKLMNOP' Hemant K Chitale Principal DBA Chartered Semiconductor Manufacturing Ltd Ghadge,Sameer [EMAIL PROTECTED] 22/02/2002 11:38 AM Sent by: [EMAIL PROTECTED] Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group) Subject: password question Hi, Oracle stores password in encrypted format, is it possible (suppose i have access to dba_users table) to retrieve and descrypt the password. thx Sameer -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ghadge,Sameer INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists To REMOVE yourself
Re: password question
The encrypted password is available in dba_users, but it's not possible to decrypt it. --- Ghadge,Sameer [EMAIL PROTECTED] wrote: Hi, Oracle stores password in encrypted format, is it possible (suppose i have access to dba_users table) to retrieve and descrypt the password. thx Sameer -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ghadge,Sameer INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Paul Baumgartel INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: password question
Sameer, The obvious answer you can't decrypt the password. Else a number of people would think harder about buying Oracle. It's a one-way hash -- you can't get the original value back. It is possible to temporarily reset a user's password to something else, become the user with your own password and reset the password back to the original value, without knowing what the original password was. e.g. suppose a user's encrypted password string is 'ABCDEFGHIJKLMNOP', read this string from DBA_USERS, store it someplace (a variable, a table ;), execute ALTER USER username identified by mypassword, login as the user CONNECT username/mypassword, do your SQLs as that user, reset the user's password ALTER USER username identified by values 'ABCDEFGHIJKLMNOP' Hemant K Chitale Principal DBA Chartered Semiconductor Manufacturing Ltd Ghadge,Sameer [EMAIL PROTECTED] 22/02/2002 11:38 AM Sent by: [EMAIL PROTECTED] Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group) Subject: password question Hi, Oracle stores password in encrypted format, is it possible (suppose i have access to dba_users table) to retrieve and descrypt the password. thx Sameer -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ghadge,Sameer INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password question
Title: RE: password question One way hash, yes, but can use username to forceably crack the password (same idea as unix CRACK password cracking program). Hash is consistent which is why you can pick up the password string and drop it to another database (same username) and have the password work on the new machine. A non Oracle example would be to perform the following at the unix prompt: echo 'some test string' | md5 With the hash, you could create several variations and test against the known or 'captured' hash. Again, brute force method. Jon Baker Database Architect [EMAIL PROTECTED] www.netsec.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, February 22, 2002 12:18 AM To: Multiple recipients of list ORACLE-L Subject: Re: password question Sameer, The obvious answer you can't decrypt the password. Else a number of people would think harder about buying Oracle. It's a one-way hash -- you can't get the original value back. It is possible to temporarily reset a user's password to something else, become the user with your own password and reset the password back to the original value, without knowing what the original password was. e.g. suppose a user's encrypted password string is 'ABCDEFGHIJKLMNOP', read this string from DBA_USERS, store it someplace (a variable, a table ;), execute ALTER USER username identified by mypassword, login as the user CONNECT username/mypassword, do your SQLs as that user, reset the user's password ALTER USER username identified by values 'ABCDEFGHIJKLMNOP' Hemant K Chitale Principal DBA Chartered Semiconductor Manufacturing Ltd Ghadge,Sameer [EMAIL PROTECTED] 22/02/2002 11:38 AM Sent by: [EMAIL PROTECTED] Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group) Subject: password question Hi, Oracle stores password in encrypted format, is it possible (suppose i have access to dba_users table) to retrieve and descrypt the password. thx Sameer -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ghadge,Sameer INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: password question
But where do you get the known or captured hash ? Only a DBA can query DBA_USERS for PASSWORD. A regular user cannot query DBA_USERS and cannot see PASSWORD in ALL_USERS. If you are already a DBA on the target database you really don't need to find out the password for another user. Supposing you grab a site's FULL Export dump. I guess you can then do a FULL Import and get the captured hash. But why do you need it now that you have the FULL Database with you anyway ? Hemant K Chitale Principal DBA Chartered Semiconductor Manufacturing Ltd Jon Baker [EMAIL PROTECTED]22/02/2002 02:08 PM Sent by: [EMAIL PROTECTED] Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group) Subject: RE: password question One way hash, yes, but can use username to forceably crack the password (same idea as unix CRACK password cracking program). Hash is consistent which is why you can pick up the password string and drop it to another database (same username) and have the password work on the new machine. A non Oracle example would be to perform the following at the unix prompt: echo 'some test string' | md5 With the hash, you could create several variations and test against the known or 'captured' hash. Again, brute force method. Jon Baker Database Architect [EMAIL PROTECTED] www.netsec.net -Original Message- [mailto:[EMAIL PROTECTED]] Sent: Friday, February 22, 2002 12:18 AM To: Multiple recipients of list ORACLE-L Sameer, The obvious answer you can't decrypt the password. Else a number of people would think harder about buying Oracle. It's a one-way hash -- you can't get the original value back. It is possible to temporarily reset a user's password to something else, become the user with your own password and reset the password back to the original value, without knowing what the original password was. e.g. suppose a user's encrypted password string is 'ABCDEFGHIJKLMNOP', read this string from DBA_USERS, store it someplace (a variable, a table ;), execute ALTER USER username identified by mypassword, login as the user CONNECT username/mypassword, do your SQLs as that user, reset the user's password ALTER USER username identified by values 'ABCDEFGHIJKLMNOP' Hemant K Chitale Principal DBA Chartered Semiconductor Manufacturing Ltd Ghadge,Sameer [EMAIL PROTECTED] 22/02/2002 11:38 AM Sent by: [EMAIL PROTECTED] Please respond to ORACLE-L To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] cc: (bcc: CHITALE Hemant Krishnarao/IT/CHRT/ST Group) Subject: password question Hi, Oracle stores password in encrypted format, is it possible (suppose i have access to dba_users table) to retrieve and descrypt the password. thx Sameer -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Ghadge,Sameer INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San
RE: Password Changes
Jared, I may be out to lunch (and I haven't create too many users lately) but I though later versions of Oracle could be set to prevent repeating a password over time (and/or length, randomness restrictions). If this is the case, wouldn't the old password have to be kept somewhere? Mike -Original Message- Sent: Thursday, December 06, 2001 7:37 PM To: Multiple recipients of list ORACLE-L It can be seen in dba_users. The table is sys.user$. Once you've changed it, the old value is gone for good. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Hand, Michael T INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password Changes
Mike, Good point, I obviously was out to lunch on that one. Your mission, should you choose to accept it, is to search out and disseminate the knowledge regarding this old password. Should you choose not to accept this mission, I will disavow all knowledge of this email and claim it was spoofed by persons unknown. This message will not self destruct in 5 seconds, but will probably hang around in various archives for centuries, consuming valuable resources. Now where'd that coffee go to... Jared Hand, Michael T To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] HANDM@polaroi cc: d.com Subject: RE: Password Changes Sent by: [EMAIL PROTECTED] om 12/07/01 07:25 AM Please respond to ORACLE-L Jared, I may be out to lunch (and I haven't create too many users lately) but I though later versions of Oracle could be set to prevent repeating a password over time (and/or length, randomness restrictions). If this is the case, wouldn't the old password have to be kept somewhere? Mike -Original Message- Sent: Thursday, December 06, 2001 7:37 PM To: Multiple recipients of list ORACLE-L It can be seen in dba_users. The table is sys.user$. Once you've changed it, the old value is gone for good. Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Hand, Michael T INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password Changes
If you have an old full export of the database, you can find in the beginning of the file the users definitions like: Create user USER identified by values 'some value' Search for the user you're interested in and get the encrypted password 'some value' and run this command: Alter user USER identified by values 'some value' ; Regards, Waleed -Original Message- Sent: Thursday, December 06, 2001 7:37 PM To: Multiple recipients of list ORACLE-L It can be seen in dba_users. The table is sys.user$. Once you've changed it, the old value is gone for good. Jared Burton, Laura L. To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] BurtonL@prism cc: plus.comSubject: Password Changes Sent by: [EMAIL PROTECTED] om 12/06/01 10:29 AM Please respond to ORACLE-L When you alter a user's password, what table does it update? I need to 'restore' a password for a user back to what it was before I changed it, but do not know what it was. Any ideas?? Can this be done? Thanks, Laura -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Khedr, Waleed INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Password Changes
Sounds like you had better fess up and ask the user what it is ;-) If you know ahead of time that this is what you want to do, there is an old trick to change it and then change it back to the original when done. I just tried it on 8.1.7 and it still works: col password old_value pw10 select password from dba_users where username = upper('1'); alter user 1 identified by temp1; Open another sqlplus sessions and logon using temp1 as the password. When you're done, change it back to the original password from the original session: alter user 1 identified by values 'pw10'; Mike From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] Subject: Re: Password Changes Date: Thu, 06 Dec 2001 16:36:59 -0800 It can be seen in dba_users. The table is sys.user$. Once you've changed it, the old value is gone for good. Jared Burton, Laura L. To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] BurtonL@prism cc: plus.comSubject: Password Changes Sent by: [EMAIL PROTECTED] om 12/06/01 10:29 AM Please respond to ORACLE-L When you alter a user's password, what table does it update? I need to 'restore' a password for a user back to what it was before I changed it, but do not know what it was. Any ideas?? Can this be done? Thanks, Laura -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mike Killough INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password Changes
Jared, All, The challenge has been accepted. In this episode of This Old Password we search for the lost password with the help of sql_trace and a new test profile. And voila, we discover the SYS table user_history$. The moral of the story is that if the aforementioned user is assigned a profile where Password_Reuse_Time or Password_Reuse_Max is not Unlimited (the default), then old passwords will be stored in user_history$.password until they are no longer required to enforce the profile constraints. If the user is not assigned this type of profile you are out of luck. And, of course, you would have to disable the profile to reset the password to an already-been-used value. You never know what you'll start with some questions ;-) Have a great weekend. Mike -Original Message- Sent: Friday, December 07, 2001 12:20 PM To: Multiple recipients of list ORACLE-L Mike, Good point, I obviously was out to lunch on that one. Your mission, should you choose to accept it, is to search out and disseminate the knowledge regarding this old password. Should you choose not to accept this mission, I will disavow all knowledge of this email and claim it was spoofed by persons unknown. This message will not self destruct in 5 seconds, but will probably hang around in various archives for centuries, consuming valuable resources. Now where'd that coffee go to... Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Hand, Michael T INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password Changes
Thanks Mike. Jared Hand, Michael T To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] HANDM@polaroi cc: d.com Subject: RE: Password Changes Sent by: [EMAIL PROTECTED] om 12/07/01 12:25 PM Please respond to ORACLE-L Jared, All, The challenge has been accepted. In this episode of This Old Password we search for the lost password with the help of sql_trace and a new test profile. And voila, we discover the SYS table user_history$. The moral of the story is that if the aforementioned user is assigned a profile where Password_Reuse_Time or Password_Reuse_Max is not Unlimited (the default), then old passwords will be stored in user_history$.password until they are no longer required to enforce the profile constraints. If the user is not assigned this type of profile you are out of luck. And, of course, you would have to disable the profile to reset the password to an already-been-used value. You never know what you'll start with some questions ;-) Have a great weekend. Mike -Original Message- Sent: Friday, December 07, 2001 12:20 PM To: Multiple recipients of list ORACLE-L Mike, Good point, I obviously was out to lunch on that one. Your mission, should you choose to accept it, is to search out and disseminate the knowledge regarding this old password. Should you choose not to accept this mission, I will disavow all knowledge of this email and claim it was spoofed by persons unknown. This message will not self destruct in 5 seconds, but will probably hang around in various archives for centuries, consuming valuable resources. Now where'd that coffee go to... Jared -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Hand, Michael T INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Password Changes
user$ is updated and why not just reset it to the known value, only if you happen to have the encrypted password, then you could set it back using alter user userid identified by values 'ENCRYPTED PASSWORD HERE'; otherwise you're outta luck. joe Burton, Laura L. wrote: When you alter a user's password, what table does it update? I need to 'restore' a password for a user back to what it was before I changed it, but do not know what it was. Any ideas?? Can this be done? Thanks, Laura -- Joe Testa, Oracle DBA Want to have a good time with a bunch of geeks? Check out: http://www.geekcruises.com/standard_interface/future_cruises.html I'm presenting, when registering drop my name :) -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Joe Testa INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password Changes
Title: Password Changes sys.dba_users-password is the field. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Burton, Laura L.Sent: Thursday, December 06, 2001 12:29 PMTo: Multiple recipients of list ORACLE-LSubject: Password Changes When you alter a user's password, what table does it update? I need to 'restore' a password for a user back to what it was before I changed it, but do not know what it was. Any ideas?? Can this be done? Thanks, Laura
Re: Password Changes
It can be seen in dba_users. The table is sys.user$. Once you've changed it, the old value is gone for good. Jared Burton, Laura L. To: Multiple recipients of list ORACLE-L [EMAIL PROTECTED] BurtonL@prism cc: plus.comSubject: Password Changes Sent by: [EMAIL PROTECTED] om 12/06/01 10:29 AM Please respond to ORACLE-L When you alter a user's password, what table does it update? I need to 'restore' a password for a user back to what it was before I changed it, but do not know what it was. Any ideas?? Can this be done? Thanks, Laura -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password with special character
Hi Thye Hock Gan, Thank you for your info. I am using Oracle 8.1.6 Solaris 7 Install patch bug122 for SQL*PLUS How can I change user password with special character alter user teddy identified by bear12#$; is not working because of alter user teddy identified by 'bear12#$'; also not working I have password_verification profile with verify_function that provided by Oracle Administrator Guide that must at least 1 special character in user password. Thank you, Sinardy -Original Message- Sent: Friday, 11 May 2001 6:34 PM To: LazyDBA mailing list This are characters you can use: !#$%()'*+,-/:;+_ if I'm not mistaken. Try them anyway. --- Sinardy Xing [EMAIL PROTECTED] wrote: Hi all, Can Oracle User change their password with special characters? Thank you very much Sinady Think you know someone who can answer the above question? Forward it to them! To unsubscribe: send a blank email to [EMAIL PROTECTED] To subscribe: send a blank email to [EMAIL PROTECTED] Visit the list archive: http://www.LAZYDBA.com/odbareadmail.pl Tell yer mates about http://www.farAwayJobs.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Think you know someone who can answer the above question? Forward it to them! To unsubscribe: send a blank email to [EMAIL PROTECTED] To subscribe: send a blank email to [EMAIL PROTECTED] Visit the list archive: http://www.LAZYDBA.com/odbareadmail.pl Tell yer mates about http://www.farAwayJobs.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Sinardy Xing INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password with special character
If you're using the a profile with a password_verify function, then you shouldn't be using ALTER USER to change a user's password. If you are trying to change the password through SQL*Plus, then you should instead be using the SQL*Plus PASSWORD command: SQL PASSWORD username Using this command will validate the user's new password using the password_verify function that is specified in the user's profile, and will allow for the password to contain the special characters that you are trying to use. When you use ALTER USER it doesn't use that password_verify function, and because it is a DDL command, it limits you to Oracle's object naming restrictions, which will not allow you to use most special characters. For more information on this, see the Oracle8i Administrators Guide, pp 21-15 under Password Complexity Verification, and also the SQL*Plus Users Guide and Reference Release 8.1.6, pp 8-76 for details on using the PASSWORD command. Both of these documents are available on Metalink. -::YEX::- ))) -Original Message- Sent: Friday, 11 May, 2001 10:01 AM To: Multiple recipients of list ORACLE-L Hi Thye Hock Gan, Thank you for your info. I am using Oracle 8.1.6 Solaris 7 Install patch bug122 for SQL*PLUS How can I change user password with special character alter user teddy identified by bear12#$; is not working because of alter user teddy identified by 'bear12#$'; also not working I have password_verification profile with verify_function that provided by Oracle Administrator Guide that must at least 1 special character in user password. Thank you, Sinardy -Original Message- Sent: Friday, 11 May 2001 6:34 PM To: LazyDBA mailing list This are characters you can use: !#$%()'*+,-/:;+_ if I'm not mistaken. Try them anyway. --- Sinardy Xing [EMAIL PROTECTED] wrote: Hi all, Can Oracle User change their password with special characters? Thank you very much Sinady Think you know someone who can answer the above question? Forward it to them! To unsubscribe: send a blank email to [EMAIL PROTECTED] To subscribe: send a blank email to [EMAIL PROTECTED] Visit the list archive: http://www.LAZYDBA.com/odbareadmail.pl Tell yer mates about http://www.farAwayJobs.com __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Think you know someone who can answer the above question? Forward it to them! To unsubscribe: send a blank email to [EMAIL PROTECTED] To subscribe: send a blank email to [EMAIL PROTECTED] Visit the list archive: http://www.LAZYDBA.com/odbareadmail.pl Tell yer mates about http://www.farAwayJobs.com -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Sinardy Xing INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Yexley Robert D SSgt AFIT/SCA INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Password with special character
Sinardy Xing wrote: Hi all, Can Oracle User change their password with special characters? As with other Oracle identifiers, you have to put double quotes around the password to include nonstandard stuff. SQL ALTER USER SCOTT IDENTIFIED BY *^%$$# L; User altered. SQL CONNECT scott/*^%$$# L Connected. Supposedly, lower case letters aren't supported in these passwords, but I've seen it work just fine. Incidentally, double quotes are not supported by the SQL*Plus password command, which is a shame. I've logged a TAR on this problem. Good luck Bill __ http://www.datacraft.com/http://plnet.org/ -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Bill Pribyl INET: [EMAIL PROTECTED] Fat City Network Services-- (858) 538-5051 FAX: (858) 538-5051 San Diego, California-- Public Internet access / Mailing Lists To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Password with special character
Title: RE: Password with special character -Original Message- From: Sinardy Xing [mailto:[EMAIL PROTECTED]] I am using Oracle 8.1.6 Solaris 7 Install patch bug122 for SQL*PLUS How can I change user password with special character alter user teddy identified by bear12#$; is not working because of alter user teddy identified by 'bear12#$'; also not working I have password_verification profile with verify_function that provided by Oracle Administrator Guide that must at least 1 special character in user password. Two things: a) the is a special character for SQL*Plus, used for string substitution. b) Passwords, like database object names, must be surrounded by double quotes when they contain special characters. e.g. SQL -- turn off substitution SQL set define off SQL -- surround password by for special char. SQL alter user jrk identified by bear12#$ ; User altered. -- Jacques R. Kilchoer (949) 754-8816 Quest Software, Inc. 8001 Irvine Center Drive Irvine, California 92618 U.S.A. http://www.quest.com