Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Oracle hashing algorithm

Posted on 2003-02-18
3
Medium Priority
?
594 Views
Last Modified: 2010-04-07
G'day

Does anyone know if the one-way hashing algorithm used by Oracle (817) to store user passwords is available anywhere? If so, what is the link?
(or procedure to call to return hashed value)

We are attempting to provide a change password utility in Mod SQL (PL/SQL Gateway) but to verify the users existing password, we cannot change the existing password temporarily as per Tom Kyte's suggestion
http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:258815248980
as the user profile does not allow similar passwords to be used.
We are wondering if we can use the same hashing algorithm to hash the existing password they enter, and compare it to the actual existing password for verification before changing their password to the one desired.

Thanks (a newbie to EE).
0
Comment
Question by:oz_bloke
3 Comments
 
LVL 3

Accepted Solution

by:
nouellette earned 150 total points
ID: 7981667
I don't think you're going to find which algorithm they are using...because that's a potential security risk to just go ahead and tell the world this information.  This is just like describing which lock is used and then users can pretty much try various keys.  

My guess however would be some version of SHA1.

0
 
LVL 2

Expert Comment

by:Jason_Deckard
ID: 7981757
Greetings,

A brief search of Oracle's Tech Network (otn.oracle.com) led me to this page on password policy management:  http://otn.oracle.com/products/ias/daily/jun03.html

Apparently, Oracle supports MD4, MD5, SHA1, and UNIX Crypt.  It is up to the Oracle admin to choose which hash to use.  

Hope that helps,
Jason Deckard
0
 

Expert Comment

by:_musashi_
ID: 8202397
We solved this problem by placing a PL/SQL method in the database that essentially does:

EXECUTE IMMEDIATE 'ALTER USER ' || user_ || ' IDENTIFIED BY ' || password_;

We call the method using jdbc from the gateway component. The security is ensured due to the fact that a user can only change his own password.

A small security problem is that if the user logs in using a client that exposes this functionality it is possible to change the password while the user is getting himself a cup of coffe.  
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your business may be under attack from a silent enemy that is hard to detect. It works stealthily in the shadows to access and exploit your critical business information, sensitive confidential data and intellectual property, for commercial gain. T…
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question