Oracle, Oracle Database April 4, 2008 0

Passwords in Oracle Database

Fact sheet about Oracle database passwords

Oracle Password Algorithm (7-10g Rel.2) (Designed by Bob Baldwin)

Up to 30 characters long. All characters will be converted to uppercase before the hashing starts 8-byte hash, encrypted with a DES encryption algorithm without real salt (just the username). The algorithm can be found in the book “Special Ops Host And Network Security For Microsoft, Unix, And Oracle” on page 727.

Oracle database 11g offers the (optional) possibility to use passwords up to 50 characters (uppercase/lowercase). In Oracle 11g the passwords are now hashed with DES (column: password) AND using SHA-1 (column: spare4). The SHA-1 passwords are now supporting mixed-case passwords. In 11g the password hashes are no longer available in dba_users.

  • Oracle (7-10g R2) encrypts the concatenation of (username||password)
    and sys/temp1 and system/p1 have the identical hashkey (2E1168309B5B9B7A)
  • Oracle (11g R1) uses SHA-1 to hash the concatenation of (password||salt)

 

Oracle Password Cracker

A comparison of different password cracker can be found here. Benchmarks for different password crackers are available here (10g) and here (11g) .

Location of Oracle password hashes

  • Database – SYS.USER$ – Password
  • Oracle Password File
  • Data File of the system tablespace
  • (full) Export-Files
  • archive logs


Show Oracle password hash key (old DES hash)

You should always select database users from the table not from the views (ALL_USERS, DBA_USERS). An explanation (modification of database views via rootkits) can be found here.

  • DBA_USERS : SELECT username, password FROM DBA_USERS;
  • SYS.USER$ : SELECT name, password FROM SYS.USER$ WHERE password is not null;


Show Oracle password hash key (11g, new SHA-1 hash)

In 11g the password hash is no longer accessible via dba_users

  • SYS.USER$ : SELECT name,spare4 FROM SYS.USER$ WHERE password is not null;

How to change an Oracle password?

You should always use the password command because the password is sent unencrypted over the net (without Advanced Security Option) if you use the alter user syntax.

  • alter user myuser identified by my!supersecretpassword;
  • grant connect to myuser identified by my!supersecretpassword
  • update sys.user$ set password=’F894844C34402B67′ where name=’SCOTT’; (restart of the database necessary)
  • SQL*Plus command: password or password username

How to change an Oracle password temporarily?

In Oracle it is possible to change a password temporarily. This can be useful for DBA which act as a different user.

SQL> select username,password from dba_users where username='SCOTT';

USERNAME PASSWORD
-------- ----------------
SCOTT    F894844C34402B67

SQL> alter user scott identified by mypassword;

 

Now login with the following credentials: scott/tiger

After doing your work you can change the password back by using an undocumented feature called “by values”

SQL> alter user scott identified by values ‘F894844C34402B67’;

Oracle Password Policy


It is possible to setup a password policy (for strong Oracle passwords). A sample file how to do this can be found at:

$ORACLE_HOME/rdbms/admin/utlpwdmg.sql

If you use this functionality please be aware that the password policy function has access to the cleartext password (for the comparisions reasons). With Oracle 11gR1 Oracle greatly enhanced the password verification function.

A hacker could modify your function and log all cleartext passwords entered by the users to a table or send it to a foreign webserver with utl_http. That’s why you should checksum this function, e.g. with Repscan.


Oracle brute force attacks / Oracle Password Decryption (7-10gR2)

It is not possible to decrypt a hashstring but the simple Oracle salt (=Username) it is possible to do a brute force or dictionary attack. There are several Oracle brute force or dictionary attack tools available. These tools encrypt the username/password and compare the hashkeys. If the hashkey are identical the password is known. From simple SQL based tools (<500 pw/second) up to special C programs like checkpwd. The fastest tool for brute force attacks orabf calculates 1.100.000 passwords/second. The fastest tool for dictionary attacks are checkpwd and repscan with 600.000 pw per second. On a Pentium 4 with 3 GHz it takes (26 ascii characters only, e.g. 26^5)

  • 10 seconds to calculate all 5-ascii-character-combinations
  • 5 minutes to calculate all 6-ascii-character-combinations
  • 2 hours to calculate all 7-ascii-character-combinations
  • 2,1 days to calculate all 8-ascii-character-combinations
  • 57 days to calculate all 9-ascii-character-combinations
  • 4 years to calculate all 10-ascii-character-combinations

NOTE: You should always use strong and long passwords to avoid brute force or dictionary attacks.

Typical Error messages related to Oracle database passwords

The following error messages are related to Oracle passwords:

  • ORA_28000: The account is locked
    • Wait for PASSWORD_LOCK_TIME or contact your DBA
  • ORA-28001: The password has expired
    • Change the password or contact your DBA
  • ORA-00988: Missing or invalid password(s)
    • Use double quotes for the password (e.g. alter user scott identified by “!alex”;)
  • ORA-01017: Invalid username/password; logon denied
    • Contact your DBA if the problem still persists


Oracle database passwords in cleartext

Cleartext passwords can be typically but not necessarily found at the following places

  • Server
    • Shell History files
    • Unix Scripts
    • Log Files
    • Dump Files
    • Trace Files
  • Application Server
    • JDBC-Config-Files
    • Trace Files
  • DBA Client PC
    • Desktop-Shortcut
    • Batch-Files
    • Configuration files of Oracle Tools (like connections.ini)
    • Trace Files

References

(source: red-database-security.com)