| Oracle Password History [message #47236] |
Fri, 30 July 2004 09:27  |
Deborah J Williams
Messages: 1
Registered: July 2004
|
Junior Member |
|
|
I am planning to implement a profile for selected users and willbe using the PASSWORD_REUSE and FAILED_LOGIN_ATTEMPTS features. Where are the history for passowrds and login attempts kept?? I assume it is in a table, but can't find it anywhere.
Thanks
|
|
|
|
|
|
|
|
| Re: Oracle Password History [message #125540 is a reply to message #47236] |
Mon, 27 June 2005 06:10  |
EdVonk
Messages: 4
Registered: June 2005
Location: The Netherlands
|
Junior Member |
|
|
Use the above if you want to see what dates the passwords have been reset (and the encrypted password).
For login attempts try database auditing or use triggers.
I don't reccommend that last option.
|
|
|
|
|
|
| Re: Oracle Password History [message #141659 is a reply to message #141658] |
Tue, 11 October 2005 09:07 |
 |
Mahesh Rajendran
Messages: 10708
Registered: March 2002
Location: oracleDocoVille
|
Senior Member
Account Moderator |
|
|
The database password is hashed in oracle.
You cannot decipher it into plain text.
Able to Do so will make the password utterly useless.
With dba rights, you can always change the password of the user or reset the password to what it was using the hash.
But you cannot SEE the password in plain text.
scott@9i > alter user test identified by newpassword;
User altered.
scott@9i > connect test/newpassword;
Connected.
scott@9i > connect scott/tiger
Connected.
scott@9i > select username,password from dba_users where username='TEST';
USERNAME PASSWORD
------------------------------ ------------------------------
TEST CF072A2E3AB555FB
scott@9i > alter user test identified by values 'CF072A2E3AB555FB';
User altered.
scott@9i > connect test/newpassword
Connected.
[Updated on: Tue, 25 October 2005 13:21] Report message to a moderator |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Oracle Password History [message #152888 is a reply to message #149413] |
Tue, 27 December 2005 08:52 |
skorpian23
Messages: 1
Registered: December 2005
|
Junior Member |
|
|
Your Prof is correct, nothing is impossible in IT, the problem is the task you are asking is improbable. Oracle stores all user passwords in an encrypted form. It does not KNOW the original password. So for example, say you create a user SCOTT and the password that is assigned is "welcome" Oracle converts "welcome" into a 128 bit string. So to make things simple, lets say "welcome" gets stored as "xfdgtp". (not 128 bits, but this only an example). Now anytime SCOTT logs in, he enters in his password of "welcome", Oracle then recalculates the encrypted password on the fly and calculates "xfdgtp". Does the entered password "xfdgtp" match the stored password "xfdgtp"? Yes, then SCOTT is logged in. Now the questions is how do you convert "xfdgtp" back to "welcome", well only Oracle knows that algorithm, and like other's have said, if we knew that, then Oracle's security is useless. So to ask the question what is a user's password is not practical, as not even the Oracle Database knows that...all it knows it the users enters in some password that gets encrypted to "xfdgtp" by applying some unknown algorithm to the word "welcome". This does mean that it is possible, in theory, that you can have another word that also gets encrypted to "xfdgtp". If you could find that word, that would also then be considered the user's password. So trying to reverse engineer the algorithm, which is improbable, would almost certainly not return you to the original password anyway, it would only give you a password that gets encrypted to the same encrypted password. It is like taking 2 different roads to the same place…once you are there, how can you tell which path was taken??? You can’t. You can only find a path that led you to your destination, but there is no way for certain to determine the correct starting path. I hope this helps, but in the end, there is no way for you or anyone here to retrieve the original password that was chosen. If you really need to know it, find out who else is using it...and ask them, or reset the password to something you know.
|
|
|
|
|
|
| Re: Oracle Password History [message #198541 is a reply to message #198501] |
Tue, 17 October 2006 09:38 |
|
Mahesh Rajendran
Messages: 10708
Registered: March 2002
Location: oracleDocoVille
|
Senior Member
Account Moderator |
|
|
@viral.sampat
The mentioned hack is a very known bug in 9i which was fixed in 10g.
First you need a database link and access to sys.link$.
SYS >ed
Wrote file afiedt.buf
1 create database link dblink_10g
2 connect to scott identified by tiger
3* using 'dubbel'
SYS >/
Database link created.
SYS >select name,userid,password from sys.link$;
NAME USERID PASSWORD
------------------------------ ------------------------------ ------------------------------
DBLINK_10G SCOTT
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
