Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: ORA_ENCRYPT_LOGIN

RE: ORA_ENCRYPT_LOGIN

From: MacGregor, Ian A. <ian_at_SLAC.Stanford.EDU>
Date: Wed, 22 May 2002 11:52:02 -0800
Message-ID: <F001.004682DB.20020522115202@fatcity.com>


If you want to be absolutely sure the password is being encrypted, you'll need to place a sniffer on the network. Work with your network guys and whoever else needs to be involved. In most company's using an unauthorized sniffer will result in dismissal.  

Let me reinterate what I stated. SQL*NET encrypts passwords even if the ORA_ENCRYPT_LOGIN parameter is not set to TRUE I wouldn't label it strong encryption. If you really need that there is the Advanced Security Option.  

 I'm not 100% sure when the passwrod is sent in the clear. It is never sent plain text when the ORA_ENCRYPT_L0gin parameter is set to TRUE. I believe it will be sent in the clear if the Oracle server side of SQL*NET is incapable of handling encrypted passwords and ORA_ENCRYPT_LOGIN is set to false. ( I cannot , off the top of my head, remember if the parameter takes YES/NO or TRUE/FALSE).  

The first thing I would do is ensure ORA_ENCRYPT_LOGIN is true for all clients.  

Ian MacGregor
Stanford Linear Accelerator Center
ian_at_SLAC.Stanford.edu <mailto:ian_at_SLAC.Stanford.edu>    

-----Original Message-----

Sent: Wednesday, May 22, 2002 9:59 AM
To: Multiple recipients of list ORACLE-L

That's exactly what I want to stop, passwords being sent in the clear. However, I'm not able to verify it's working so far. I've turned on tracing, as recommended in another reply on this topic, did a login before enabling then after enabling this parameter and the differences are very minor and I'm seeing nothing that specifically points to this parameter being used other than output saying the parameter is detected. How are you all having developers connect to the production box via SQL*Plus client on developer workstations, so that the password is not sent in the clear?  

-----Original Message-----

Sent: Tuesday, May 21, 2002 8:18 PM
To: Multiple recipients of list ORACLE-L

Even without this parameter being set the password is encrypted. What the parameter does is stop the password from being sent in the clear if logging in with the encrypted password fails. I believe the encryption is a 54-bit variant of DES. It is very rare that someone improves DES by fiddling with it. It also always encrypts to the same value and provides no protection against replay attacks.  

Ian MacGregor
Stanford Linear Accelerator Center
ian_at_SLAC.Stanford.edu <mailto:ian_at_SLAC.Stanford.edu>

-----Original Message-----

Sent: Tuesday, May 21, 2002 9:34 AM
To: Multiple recipients of list ORACLE-L

Anyone using this and if so, do you know of a way to verify that the password is actually being encrypted?  

Thanks.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: MacGregor, Ian A.
  INET: ian_at_SLAC.Stanford.EDU

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists

--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Received on Wed May 22 2002 - 14:52:02 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US