Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Reverse engineer passwords

RE: Reverse engineer passwords

From: Ari D Kaplan <akaplan_at_interaccess.com>
Date: Fri, 14 Jul 2000 17:03:17 -0500 (CDT)
Message-Id: <10558.112119@fatcity.com> 





This is correct - it is impossible to reverse-engineer passwords from
Oracle. So much so that even Oracle Corporation themselves- the people
that made the algorithm - cannot reverse engineer people's passwords.



Keep in mind that what William said (about forward-encrypting passwords
and comparing the encrypted results) is the reason why you should not use
dictionary words or your username (etc.) for your password. Someone can
easily write a program to go through all usernames in the database and
compare them to all dictionary words, forward-encrypting. Then it can
compare the result with the value in the DBA_USERS data dictionary view.
This is one way people can "hack" passwords.



By the way, I discuss some of this, and describe how to login to the
database as another user, in my white paper "A Bag of Tips and Tricks for
DBAs and Developers" for free off my page: www.arikaplan.com



If anyone finds a way to reverse engineer passwords, let me know so I can
sell my stock quickly ;)



-Ari Kaplan


Independent Oracle DBA Consultant


<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->
<-> For 370+ Oracle tips, visit:                         <->
<->                                                      <->
<->             www.arikaplan.com                        <->
<->                                                      <->
<->             email: akaplan_at_interaccess.com           <->
<-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><-><->






On Fri, 14 Jul 2000, William Beilstein wrote:



> The passwords are encrypted with a non reversible algorithm. The way you check a password, is to encrypt the entered password and compare it against the stored encrypted password.

> 

> >>> Linda Hagedorn <Linda_at_pets.com> 07/14/00 01:16PM >>>

> Hi Vincent, 

>  

> I have the encrypted password, and I want to reverse engineer it to the

> Ebcdic.  Do you have the math or routine?

>  

> Thanks, 

>  

> Linda 

> 

> -----Original Message-----

> Sent: Friday, July 14, 2000 5:45 AM

> To: Multiple recipients of list ORACLE-L

> 

> 

> hi,

>  

> look into dba_users, there y'll find the encrypted password.

>  

>  

> Vincent

>  

> 

> -----Oorspronkelijk bericht-----

> Van: root_at_fatcity.com [mailto:root_at_fatcity.com]Namens Siva_Chintalapati

> Verzonden: vrijdag 14 juli 2000 14:09

> Aan: Multiple recipients of list ORACLE-L

> Onderwerp: RE: Reverse engineer passwords

> 

> 

> 

> Where does this passwords store.What is that file.Will it be in encrypted

> form?? 

> Siva 

> 

> 	---------- 

> Reply To:       ORACLE-L_at_fatcity.com 

> Sent:   Friday, July 14, 2000 4:35 PM 

> To:     Multiple recipients of list ORACLE-L 

> 

> 	Hi, 

> 

> 	You can store the encrypted password in a table, change your

> password as you like, test your application, if it fails then you know where

> to look because probably the password will be somewhere in the application

> or you can put the encrypted pasword back in de original table.

> 

> 	good luck 

> 

> 	Vicnent Ruger 

> (Oracle DBA) 

> 

> 	-----Oorspronkelijk bericht----- 

> Van: root_at_fatcity.com [ mailto:root_at_fatcity.com <mailto:root_at_fatcity.com>

> ]Namens Eric Lansu 

> Verzonden: vrijdag 14 juli 2000 12:15 

> Aan: Multiple recipients of list ORACLE-L 

> Onderwerp: Re: Reverse engineer passwords 

> 

> 

> 	I hope it's not possible to do this reverse engeneering for it would

> mean a 

> serious security-problem. 

> 

> 	Eric Lansu 

> 

> 	----- Original Message ----- 

> To: "Multiple recipients of list ORACLE-L" <ORACLE-L_at_fatcity.com> 

> Sent: Thursday, 13 July 2000 22:17 

> 

> 

> 	> Some passwords are lost, others are in clear text, others are

> operational 

> > (somewhere in production), but not known due to turnover.  Rather than 

> > possibly break running systems by changing passwords, we (dba staff) would

> 

> > like to reverse engineer the passwords in dba_users. 

> > 

> > Has anyone done this, and if so, will you send the key to me?  Referrals 

> to 

> > documentation are appreciated. 

> > 

> > Thank you. 

> > 

> > Linda Hagedorn 

> > 

> > -- 

> > Author: Linda Hagedorn 

> >   INET: Linda_at_pets.com 

> > 

> > Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051 

> > San Diego, California        -- Public Internet access / Mailing Lists 

> > -------------------------------------------------------------------- 

> > To REMOVE yourself from this mailing list, send an E-Mail message 

> > to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in 

> > the message BODY, include a line containing: UNSUB ORACLE-L 

> > (or the name of mailing list you want to be removed from).  You may 

> > also send the HELP command for other information (like subscribing). 

> 

> 	-- 

> Author: Eric Lansu 

>   INET: eric.lansu_at_quicknet.nl 

> 

> 	Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051 

> San Diego, California        -- Public Internet access / Mailing Lists 

> -------------------------------------------------------------------- 

> To REMOVE yourself from this mailing list, send an E-Mail message 

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in 

> the message BODY, include a line containing: UNSUB ORACLE-L 

> (or the name of mailing list you want to be removed from).  You may 

> also send the HELP command for other information (like subscribing). 

> 

> 

> -- 

> Author: Linda Hagedorn

>   INET: Linda_at_pets.com 

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

> (or the name of mailing list you want to be removed from).  You may

> also send the HELP command for other information (like subscribing).

> --

> Author: William Beilstein

>   INET: BeilstWH_at_obg.com

> 

> Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051

> San Diego, California        -- Public Internet access / Mailing Lists

> --------------------------------------------------------------------

> To REMOVE yourself from this mailing list, send an E-Mail message

> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in

> the message BODY, include a line containing: UNSUB ORACLE-L

Received on Fri Jul 14 2000 - 17:03:17 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US