Fact sheet about Oracle database passwords
Oracle Password Algorithm (7-10g Rel.2) (Designed by Bob Baldwin)
Up to 30 characters long. All characters will be converted to uppercase before the hashing starts
8-byte hash, encrypted with a DES encryption algorithm without real salt (just the username).
The algorithm can be found in the book "Special Ops Host And Network Security For Microsoft, Unix, And Oracle" on page 727.
Oracle database 11g offers the (optional) possibility to use passwords up to 30 characters (uppercase/lowercase). In Oracle 11g the passwords are now hashed with DES (column: password) AND using SHA-1 (column: spare4). The SHA-1 passwords are now supporting mixed-case passwords. In 11g the password hashes are no longer available in dba_users.
Oracle Password Cracker
A comparision of different password cracker can be found here. Benchmarks for different password crackers are available here (10g) and here (11g) .
Location of Oracle password hashes
Show Oracle password hashkey (old DES hash)
You should always select database users from the table not from the views (ALL_USERS, DBA_USERS). An explanation (modification of database views via rootkits) can be found here.
Show Oracle password hashkey (11g, new SHA-1 hash)
In 11g the password hash is no longer accessible via dba_users
How to change an Oracle password?
You should always use the password command because the password is sent unencrypted over the net (without Advanced Security Option) if you use the alter user syntax.
How to change an Oracle password temporarily?
In Oracle it is possible to change a password temporarily. This can be useful for DBA which act as a different user.
SQL> select username,password from dba_users where username='SCOTT';
SQL> alter user scott identified by mypassword;
Now login with the following credentials: scott/tiger
After doing your work you can change the password back by using an undocumented feature called "by values"
SQL> alter user scott identified by values 'F894844C34402B67';
Oracle default password list
600+ default Oracle passwords
Oracle Password Policy
It is possible to setup a password policy (for strong Oracle passwords). A sample file how to do this can be found at $ORACLE_HOME/rdbms/admin/utlpwdmg.sql. If you use this functionality please be aware that the password policy function has access to the cleartext password (for the comparisions reasons). With Oracle 11gR1 Oracle greatly enhanced the password verification function.
A hacker could modify your function and log all cleartext passwords entered by the users to a table or send it to a foreign webserver with utl_http. That's why you should checksum this function, e.g. with Repscan.
Oracle brute force attacks / Oracle Password Decryption (7-10gR2)
It is not possible to decrypt a hashstring but the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool for brute force attacks orabf calculates 1.100.000 passwords/second. The fastest tool for dictionary attacks are checkpwd and repscan with 600.000 pw per second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)
You should always use strong and long passwords to avoid brute force or dictionary attacks.
Typical Error messages related to Oracle database passwords
The following error messages are related to Oracle passwords:
Oracle database passwords in cleartext
Cleartext passwords can be typically but not necessarily found at the following places
© 2005-2007 by Red-Database-Security GmbH - last update 16-apr-2009
Oracle Patch Policy
More information available on Oracle OTN:
Security Vulnerability Fixing Policy and Process