Oracle hashing algorithm

Posted on 2003-02-18
Medium Priority
Last Modified: 2010-04-07

Does anyone know if the one-way hashing algorithm used by Oracle (817) to store user passwords is available anywhere? If so, what is the link?
(or procedure to call to return hashed value)

We are attempting to provide a change password utility in Mod SQL (PL/SQL Gateway) but to verify the users existing password, we cannot change the existing password temporarily as per Tom Kyte's suggestion
as the user profile does not allow similar passwords to be used.
We are wondering if we can use the same hashing algorithm to hash the existing password they enter, and compare it to the actual existing password for verification before changing their password to the one desired.

Thanks (a newbie to EE).
Question by:oz_bloke
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

nouellette earned 150 total points
ID: 7981667
I don't think you're going to find which algorithm they are using...because that's a potential security risk to just go ahead and tell the world this information.  This is just like describing which lock is used and then users can pretty much try various keys.  

My guess however would be some version of SHA1.


Expert Comment

ID: 7981757

A brief search of Oracle's Tech Network (otn.oracle.com) led me to this page on password policy management:  http://otn.oracle.com/products/ias/daily/jun03.html

Apparently, Oracle supports MD4, MD5, SHA1, and UNIX Crypt.  It is up to the Oracle admin to choose which hash to use.  

Hope that helps,
Jason Deckard

Expert Comment

ID: 8202397
We solved this problem by placing a PL/SQL method in the database that essentially does:

EXECUTE IMMEDIATE 'ALTER USER ' || user_ || ' IDENTIFIED BY ' || password_;

We call the method using jdbc from the gateway component. The security is ensured due to the fact that a user can only change his own password.

A small security problem is that if the user logs in using a client that exposes this functionality it is possible to change the password while the user is getting himself a cup of coffe.  

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question