RE: Encrypting a password

I don't think that you are going to be able to get a password encryption package that will work exactly the same for each OS and DB. they all have their own "seed" and algorithm that is proprietary to them. I once saw a professional hacker decrypt our passwords on a training server that had a flavor of Unix. He knew the "seed" for the version and it took 24 hrs to decrypt them. He did not know the "seed" or the algorithm for the DB and was unable to decrypt it.  If they all worked the same it would be a simpler task to decrypt and break into any system you had access to.
 I would suggest that you use another method of verification for the OS and DB. Is it that the users do not want to have to change their own passwords for the OS and DB. Isn't it a security violation to have all of the users passwords the same? Just a thought. $.02
ROR mª¿ªm

>>> Rick_Stephenson_at_ovid.com 07/31/01 11:28AM >>>
The problem is that I need one to encrypt a password in the same manner as the Sun OS. This is because we use the database to populate /etc/passwd. So if the OS can't compare passwords with what is stored in the database, then nobody will be able to log into the Unix box.

Thanks for you help,

Rick Stephenson

 Date: Mon, 30 Jul 2001 14:57:34 -0400
 Subject: RE: Encrypting a password

DBMS_OBFUSCATION package is exactly what you want.

I have build something like this with DBMS_OBFUSCATION although I did not compare against /etc/passwd.

I simply provided a "login" procedure, createKey, savePassword, retrievePassword.

I used a createKey function to create keys that were basically RAW(128) if I
remember correctly, then I had password stored encrypted in the database, then another table with a FK to the user table which stored the key in encrypted form.

You would need to join the key table with the encrypted password to decrypt or cross exam.

"Walking on water and developing software from a specification are easy if both are frozen."

Christopher R. Spence
Oracle DBA
Fuelspot

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com 
-- 
Author: 
  INET: Rick_Stephenson_at_ovid.com 

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).

--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Ron Rogers
  INET: RROGERS_at_galottery.org

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).