Red-Database-Security GmbH ist Spezialist für Oracle Security

Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Oracle Audit / Hardening (Härten)
Security Schulungen

Oracle Sicherheit Blog
Veröffentlichte Alerts RSS Published Alerts
Gemeldete Alerts RSS Upcoming Alerts
Patch Informationen




Search Red-Database-Security
Fact sheet about Oracle database passwords

Oracle Password Algorithm (Designed by Bob Baldwin)

Up to 30 characters long. All characters will be converted to uppercase before the hashing starts
8-byte hash, encrypted with a modified DES encryption algorithm without real salt.
The algorithm can be found in the book "Special Ops Host And Network Security For Microsoft, Unix, And Oracle" on page 727.

  • Oracle encrypts the concatenation of (username||password)
  • sys/temp1 and system/p1 have the identical hashkey (2E1168309B5B9B7A)

Oracle Password Cracker

A comparision of different password cracker can be found here.

Location of Oracle password hashes

  • Database - SYS.USER$ - Password
  • Oracle Password File
  • Data File of the system tablespace
  • (full) Export-Files
  • archive logs

Show Oracle password hashkey

You should always select database users from the table not from the views (ALL_USERS, DBA_USERS). An explanation (modification of database views via rootkits) can be found here.

  • DBA_USERS : SELECT username, password FROM DBA_USERS;
  • SYS.USER$ : SELECT name,password FROM SYS.USER$ WHERE password is not null;

How to change an Oracle password?

You should always use the password command because the password is sent unencrypted over the net (without Advanced Security Option) if you use the alter user syntax.
  • alter user myuser identified by my!supersecretpassword;
  • SQL*Plus command: password or password username

How to change an Oracle password temporarily?

In Oracle it is possible to change a password temporarily. This can be useful for DBA which act as a different user.

SQL> select username,password from dba_users where username='SCOTT';

-------- ----------------
SCOTT F894844C34402B67

SQL> alter user scott identified by mypassword;

Now login with the following credentials: scott/tiger
After doing your work you can change the password back by using an undocumented feature called "by values"

SQL> alter user scott identified by values 'F894844C34402B67';

Oracle default password list

600+ default Oracle passwords

Oracle Password Policy

It is possible to setup a password policy (for strong Oracle passwords). A sample file how to do this can be found at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql. If you use this functionality please be aware that the password policy function has access to the cleartext password (for the comparisions reasons).

A hacker could modify your function and log all cleartext passwords entered by the users to a table or send it to a foreign webserver with utl_http. That's why you should checksum this function, e.g. with Repscan.

Oracle brute force attacks / Oracle Password Decryption

It is not possible to decrypt a hashstring but the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)

  • 10 seconds to calculate all 5-ascii-character-combinations
  • 5 minutes to calculate all 6-ascii-character-combinations
  • 2 hours to calculate all 7-ascii-character-combinations
  • 2,1 days to calculate all 8-ascii-character-combinations
  • 57 days to calculate all 9-ascii-character-combinations
  • 4 years to calculate all 10-ascii-character-combinations

You should always use strong and long passwords to avoid brute force or dictionary attacks.

Typical Error messages related to Oracle database passwords

The following error messages are related to Oracle passwords:
  • ORA_28000: The account is locked
    • Wait for PASSWORD_LOCK_TIME or contact your DBA
  • ORA-28001: The password has expired
    • Change the password or contact your DBA
  • ORA-00988: Missing or invalid password(s)
    • Use double quotes for the password (e.g. alter user scott identified by "!alex";)
  • ORA-01017: Invalid username/password; logon denied
    • Contact your DBA if the problem still persists

Oracle database passwords in cleartext

Cleartext passwords can be typically but not necessarily found at the following places
  • Server
    • Shell History files
    • Unix Scripts
    • Log Files
    • Dump Files
    • Trace Files
  • Application Server
    • JDBC-Config-Files
    • Trace Files
  • DBA Client PC
    • Desktop-Shortcut
    • Batch-Files
    • Configuration files of Oracle Tools (like connections.ini)
    • Trace Files

© 2005-2006 by Red-Database-Security GmbH - last update 21-Apr-2006

Oracle Patch Policy

Vulnerability Fixing Order of Oracke Vulnerabilities

  • Main line of Code
  • New Products (e.g. 10g Rel. 2)
  • Patchsets for older products (e.g.
  • Critical Patch Update

More information available on Oracle OTN:

Security Vulnerability Fixing Policy and Process