Solved

Oracle user password hashes

Posted on 2013-01-15
4
534 Views
Last Modified: 2013-01-30
We have an Oracle 11g database that drives one of our business applications. I am not an oracle admin and there is very little documentation on the application itself, however the application seems to have its own set of explicit login (username and password) credentials so I am guessing they are hashed somewhere in the database tables.

My question would be – are there any default oracle tables where user credentials would typically be? or tips on tracking down where the password hashes may be. Or can this differ from application to application? Any tips welcome. Apologies for the naivity of the question. My goal is to identify which database accounts can query the table the hashes are in, as we have some users who can access the database for data analysis purposes - but I dont want them to have access to the table.
0
Comment
Question by:pma111
4 Comments
 
LVL 76

Accepted Solution

by:
slightwv (䄆 Netminder) earned 125 total points
ID: 38778402
If the app has it's own user/password tables, they could be anything.  You can look for tables with columns with common names but this is no guarantee:

select table_name, column_name from user_tab_columns where column_name like '%USER%' or column_name like '%PASS%';

The 100% way to know for sure is turn on tracing, log into the appo, turn off tracing and review the trace file.
0
 
LVL 73

Assisted Solution

by:sdstuber
sdstuber earned 125 total points
ID: 38778439
is the application using oracle's own database authentication?  if so, what you're looking for may be in sys.user$


http://www.experts-exchange.com/Database/Oracle/A_855-How-Oracle-Stores-Passwords.html
0
 
LVL 4

Assisted Solution

by:tvedtem
tvedtem earned 125 total points
ID: 38781534
There will almost certainly be a column called (something like) 'password' in one of the tables.
Hopefully, they won't be in plain text - and if not you might not need to worry as much about access to the table.  Still a good idea to restrict it if you can, though.
0
 
LVL 15

Assisted Solution

by:Devinder Singh Virdi
Devinder Singh Virdi earned 125 total points
ID: 38795117
If application is storing application username/password inside database, then code can be scanned to find the table name. However this information can be stored in database other than application DB. It is also  possible that passwords are stored outside Oracle database.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Entering time in Microsoft Access can be difficult. An input mask often bothers users more than helping them and won't catch all typing errors. This article shows how to create a textbox for 24-hour time input with full validation politely catching …
CCModeler offers a way to enter basic information like entities, attributes and relationships and export them as yEd or erviz diagram. It also can import existing Access or SQL Server tables with relationships.
This video shows how to copy a database user from one database to another user DBMS_METADATA.  It also shows how to copy a user's permissions and discusses password hash differences between Oracle 10g and 11g.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question