MERRY CHRISTMAS!!!! I hope you are enjoying this holiday!!
There are some new features in Oracle Database 11g with respect to user passwords you might want to know about.
1. DBA_USERS no longer displays the password hash at all. The column is there, but it's NULL.
2. You can still use user$ to find the password hash.
3. Common passwords are salted, thus the hashing is different as seen here.
The robert and robert1 account both have a password set to robert in this example:
SQL> l
1 select name, password from user$
2* where name like '%ROBERT%'
SQL> /
NAME PASSWORD
------------------------------ -----------------
ROBERT F26C10F60B4EFB98
ROBERT1 F3042C3EBB6E134F
Note that the hashes are different even though the passwords are the same. This is because the passwords are "salted".
4. Salting does not impact the ability to use the "using values" parameter with the SAME ACCOUNT as seen here:
SQL> /
NAME PASSWORD
------------------------------ ------------------------------
ROBERT F26C10F60B4EFB98
ROBERT1 F3042C3EBB6E134F
SQL> grant dba to robert, robert1
2 ;
Grant succeeded.
SQL> alter user robert1 identified by dodo;
User altered.
SQL> connect robert1/dodo
Connected.
SQL> alter user robert1 identified by values 'F3042C3EBB6E134F';
User altered.
However, if you use the same hash value with a different account, it will not work. So here, we changed the robert1
account to use the hash password for the robert account (which is still the password robert). Thus, the hash is dependent on the user account (which provides the "salting" key)...
SQL> connect robert1/robert
Connected.
SQL> alter user robert1 identified by values 'F26C10F60B4EFB98';
User altered.
SQL> connect robert1/robert
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment