Fact sheet about Oracle database passwords
Oracle Password Algorithm (Designed by Bob Baldwin)
Up to 30 characters long. All characters will be converted to uppercase before the hashing starts
8-byte hash, encrypted with a modified DES encryption algorithm without real salt.
The algorithm can be found in the book "Special Ops Host And Network Security For Microsoft, Unix, And Oracle" on page 727.
Oracle Password Cracker
A comparision of different password cracker can be found here.
Location of Oracle password hashes
Show Oracle password hashkey
You should always select database users from the table not from the views (ALL_USERS, DBA_USERS). An explanation (modification of database views via rootkits) can be found here.
How to change an Oracle password?
You should always use the password command because the password is sent unencrypted over the net (without Advanced Security Option) if you use the alter user syntax.
How to change an Oracle password temporarily?
In Oracle it is possible to change a password temporarily. This can be useful for DBA which act as a different user.
SQL> select username,password from dba_users where username='SCOTT';
SQL> alter user scott identified by mypassword;
Now login with the following credentials: scott/tiger
After doing your work you can change the password back by using an undocumented feature called "by values"
SQL> alter user scott identified by values 'F894844C34402B67';
Oracle default password list
600+ default Oracle passwords
Oracle Password Policy
It is possible to setup a password policy (for strong Oracle passwords). A sample file how to do this can be found at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql. If you use this functionality please be aware that the password policy function has access to the cleartext password (for the comparisions reasons).
A hacker could modify your function and log all cleartext passwords entered by the users to a table or send it to a foreign webserver with utl_http. That's why you should checksum this function, e.g. with Repscan.
Oracle brute force attacks / Oracle Password Decryption
It is not possible to decrypt a hashstring but the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)
You should always use strong and long passwords to avoid brute force or dictionary attacks.
Typical Error messages related to Oracle database passwords
The following error messages are related to Oracle passwords:
Oracle database passwords in cleartext
Cleartext passwords can be typically but not necessarily found at the following places
© 2005-2006 by Red-Database-Security GmbH - last update 21-Apr-2006
Oracle Patch Policy
More information available on Oracle OTN:
Security Vulnerability Fixing Policy and Process