Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: passwords case sensitive

Re: passwords case sensitive

From: Jared Still <jkstill_at_cybcon.com>
Date: Sun, 19 Oct 2003 17:44:25 -0800
Message-ID: <F001.005D3AB7.20031019174425@fatcity.com> 





Thanks Pete.



'twould be nice if Oracle allowed a package for complete
control over the password.  Doesn't seem to likely now though
with so many authentication alternatives.



Jared



On Sun, 2003-10-19 at 02:35, Pete Finnigan wrote:


> >

> >You could use it to enforce all lowercase, or init caps.

> >

> >Jared

> 

> Hi Jared,

> 

> You could do as you suggest and enforce all to lowercase or initcaps but

> what is the point?, Oracle is not case sensitive for passwords even when

> the password is set using quotes. See for example:

> 

> SQL> connect system/manager_at_zulia

> Connected.

> SQL> -- create a user no quotes lower case

> SQL> create user jared identified by jared;

> 

> User created.

> 

> SQL> select password from dba_users where username='JARED';

> 

> PASSWORD


> ------------------------------

> C142CAC4DE964694


> 

> SQL> -- change the password, no quotes upper case

> SQL> alter user jared identified by JARED;

> 

> User altered.

> 

> SQL> select password from dba_users where username='JARED';

> 

> PASSWORD


> ------------------------------

> C142CAC4DE964694


> 

> SQL> -- change the password, no quotes initcap

> SQL> alter user jared identified by Jared;

> 

> User altered.

> 

> SQL> select password from dba_users where username='JARED';

> 

> PASSWORD


> ------------------------------

> C142CAC4DE964694


> 

> SQL> -- try now with quotes, upper case

> SQL> alter user jared identified by "JARED";

> 

> User altered.

> 

> SQL> select password from dba_users where username='JARED';

> 

> PASSWORD


> ------------------------------

> C142CAC4DE964694


> 

> SQL> -- with quotes, lower case

> SQL> alter user jared identified by "jared";

> 

> User altered.

> 

> SQL> select password from dba_users where username ='JARED';

> 

> PASSWORD


> ------------------------------

> C142CAC4DE964694


> 

> SQL> -- with quotes initcap

> SQL> alter user jared identified by "Jared";

> 

> User altered.

> 

> SQL> select password from dba_users where username='JARED';

> 

> PASSWORD


> ------------------------------

> C142CAC4DE964694


> 

> As yu can no doubt see the hash is the same no matter what case is used

> and also even if the password is encased in quotes. This seems to defy

> the logic of using quotes as doing so allows the use of any character

> such as:

> 

> SQL> alter user jared identified by "£$%^";

> 

> User altered.

> 

> SQL> select password from dba_users where username='JARED';

> 

> PASSWORD


> ------------------------------

> 8248DF340D98455E

> 

> SQL> connect jared/"£$%^"@zulia

> ERROR:


> ORA-01045: user JARED lacks CREATE SESSION privilege; logon denied

> 

> 

> Warning: You are no longer connected to ORACLE.

> SQL> connect system/manager_at_zulia

> Connected.

> SQL> grant create session to jared;

> 

> Grant succeeded.

> 

> SQL> connect jared/"£$%^"@zulia

> Connected.

> SQL> 


> 

> why then if it allows the whole character set including control

> characters does it change make ASCII letters case insensitive?

> 

> Anyway the point is from above the original OP cannot force a password

> to be case sensitive as Oracle does not recognise case for passwords.

> 

> kind regards

> 

> Pete

> -- 

> Pete Finnigan

> email:pete_at_petefinnigan.com

> Web site: http://www.petefinnigan.com - Oracle security audit specialists

> Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

> 

> -- 

> Please see the official ORACLE-L FAQ: http://www.orafaq.net

> -- 

> Author: Pete Finnigan

>   INET: oracle_list_at_peterfinnigan.demon.co.uk

> 

> Fat City Network Services    -- 858-538-5051 http://www.fatcity.com

> San Diego, California        -- Mailing list and web hosting services

> ---------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> 




-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Jared Still
  INET: jkstill_at_cybcon.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Sun Oct 19 2003 - 20:44:25 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US