Home » RDBMS Server » Security » How can the user SYS or SYSTEM to find out a user's password (merged)
How can the user SYS or SYSTEM to find out a user's password (merged) [message #162582] Sat, 11 March 2006 08:36 Go to next message
Ivancleber da Silva Neves
Messages: 74
Registered: July 2002
Member
How can the user SYS or SYSTEM to find out a user's password ?

Thanks in advance
Re: How can the user SYS or SYSTEM to find out a user's password ? [message #162585 is a reply to message #162582] Sat, 11 March 2006 08:41 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10707
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
You cannot. You cannot the 'see' the password in plaintext or decipher it.
Logged in as SYS , one can
*Alter another user's password.
*Alter another user's password as it was before or create a new use r with the same password.

How can the user SYS or SYSTEM to find out a user's password ? [message #162656 is a reply to message #162582] Sun, 12 March 2006 21:37 Go to previous messageGo to next message
Ivancleber da Silva Neves
Messages: 74
Registered: July 2002
Member
How can the user SYS or SYSTEM to find out a user's password ?

Thanks in advance
Re: How can the user SYS or SYSTEM to find out a user's password ? [message #162949 is a reply to message #162656] Tue, 14 March 2006 04:56 Go to previous messageGo to next message
JSI2001
Messages: 1016
Registered: March 2005
Location: Scotland
Senior Member
You cannot do this.
(not in any meaningful way anyway) You can only view the encrypted password which you cannot decrypt
Jim

[Updated on: Tue, 14 March 2006 04:59]

Report message to a moderator

Re: How can the user SYS or SYSTEM to find out a user's password ? [message #163112 is a reply to message #162949] Tue, 14 March 2006 23:43 Go to previous messageGo to next message
orajamzs
Messages: 110
Registered: February 2006
Location: hyderabad
Senior Member
You cannot do this.
(not in any meaningful way anyway) You can only view the encrypted password which you cannot decrypt
Jim

you are right Jim,
But there are some tools to decrypt password in plain text.

Thanks
Re: How can the user SYS or SYSTEM to find out a user's password ? [message #163312 is a reply to message #162585] Thu, 16 March 2006 03:06 Go to previous messageGo to next message
singhmanish_888
Messages: 8
Registered: October 2005
Junior Member
No there is no way. you can't see any password in readable form.

Only you can change a password or can create a new password
after logging as SYS.

Regards
Manish Singh
Re: How can the user SYS or SYSTEM to find out a user's password ? [message #163327 is a reply to message #163312] Thu, 16 March 2006 04:27 Go to previous messageGo to next message
Maaher
Messages: 7065
Registered: December 2001
Senior Member
Perhaps this link from Tom Kyte might be of any help: "How to become another User in SQLPlus"

MHE
Re: How can the user SYS or SYSTEM to find out a user's password ? [message #163342 is a reply to message #163112] Thu, 16 March 2006 05:49 Go to previous messageGo to next message
Mahesh Rajendran
Messages: 10707
Registered: March 2002
Location: oracleDocoVille
Senior Member
Account Moderator
>> But there are some tools to decrypt password in plain text.
That would be interesting.
Could you please give an exact reference?
Re: How can the user SYS or SYSTEM to find out a user's password ? [message #163380 is a reply to message #163342] Thu, 16 March 2006 08:59 Go to previous messageGo to next message
Maaher
Messages: 7065
Registered: December 2001
Senior Member
Topics merged. Don't cross post or create duplicates to get extra attention http://www.orafaq.com/forum/fa/596/0/

MHE
Re: How can the user SYS or SYSTEM to find out a user's password (merged) [message #168115 is a reply to message #162582] Tue, 18 April 2006 21:40 Go to previous messageGo to next message
markmal
Messages: 113
Registered: April 2006
Location: Toronto, Canada
Senior Member
A little bit hairsplitting.
Password is not encrypted. It is hashed.
Hash is taken from a password and username concatenated (or mixed) together.
There is no fast mathematically proven way to restore (decrypt) initial value from the hash. Hash can be brute-forced only. Cracked. Means that 'ALTER USER IDENTIFIED BY passwordvar' has to be issued gozillions times until its hashed value will match to target hashed value (that value that seats in SYS.USER$).
Only brute force crackers, enchanced by dictionary functionality are known up to date.
It means - use strong passwords!

interesting article!
http://www.sans.org/rr/special/index.php?id=oracle_pass

[Updated on: Tue, 18 April 2006 23:31]

Report message to a moderator

Re: How can the user SYS or SYSTEM to find out a user's password (merged) [message #168156 is a reply to message #168115] Wed, 19 April 2006 01:57 Go to previous messageGo to next message
Maaher
Messages: 7065
Registered: December 2001
Senior Member
I've read that article a couple of weeks ago (Pete Finnigan mentioned it on his blog) but I believe for this rainbow table approach is not viable in a normal secured environment.

MHE
Re: How can the user SYS or SYSTEM to find out a user's password (merged) [message #168233 is a reply to message #168115] Wed, 19 April 2006 06:48 Go to previous messageGo to next message
markmal
Messages: 113
Registered: April 2006
Location: Toronto, Canada
Senior Member
I totally agree with you.
Even with known Oracle hashing algorithm (and its weaknesses), known hashes from USER$, it will take dozens days to crack 8 char password. And time will grow ~x40 times with every additional character.

[Updated on: Wed, 19 April 2006 06:49]

Report message to a moderator

uninstalling oracle 10g [message #171826 is a reply to message #168233] Thu, 11 May 2006 11:46 Go to previous messageGo to next message
hsrdsc4232
Messages: 4
Registered: May 2006
Junior Member
i have xp.i had loaded oracle10g.now i want to uninstall this.i have done thro add&remove from control panel.but the whole of oracle has not been removed.how shud i completely remove this.
plz advise
Re: How can the user SYS or SYSTEM to find out a user's password (merged) [message #201177 is a reply to message #162582] Thu, 02 November 2006 21:17 Go to previous message
n_de_fontenay
Messages: 33
Registered: October 2006
Location: Paris
Member
On Oracle 8i, I've used a tool from http://red-database-security.com
It was great to monitor my database and scary to see that I could crack 98% of my user's password because it was very simple words.

It has been great so be able to see it and take action to make strong passwords (showing proof that passwords has been found, provide security trainings to users explaining "who is your enemy" and why to use a complexe password.

Now with 10g this tool is not working anymore and I would be very happy to keep an eye on my users password.

A system user and password is asked to launch it.
Previous Topic: rights of a user on a different schema dissapeare
Next Topic: Automatic Log on to Oracle from Access
Goto Forum:
  


Current Time: Fri Mar 29 01:35:13 CDT 2024