Solved

Oracle user password hashes

Posted on 2013-01-15
4
532 Views
Last Modified: 2013-01-30
We have an Oracle 11g database that drives one of our business applications. I am not an oracle admin and there is very little documentation on the application itself, however the application seems to have its own set of explicit login (username and password) credentials so I am guessing they are hashed somewhere in the database tables.

My question would be – are there any default oracle tables where user credentials would typically be? or tips on tracking down where the password hashes may be. Or can this differ from application to application? Any tips welcome. Apologies for the naivity of the question. My goal is to identify which database accounts can query the table the hashes are in, as we have some users who can access the database for data analysis purposes - but I dont want them to have access to the table.
0
Comment
Question by:pma111
4 Comments
 
LVL 76

Accepted Solution

by:
slightwv (䄆 Netminder) earned 125 total points
ID: 38778402
If the app has it's own user/password tables, they could be anything.  You can look for tables with columns with common names but this is no guarantee:

select table_name, column_name from user_tab_columns where column_name like '%USER%' or column_name like '%PASS%';

The 100% way to know for sure is turn on tracing, log into the appo, turn off tracing and review the trace file.
0
 
LVL 73

Assisted Solution

by:sdstuber
sdstuber earned 125 total points
ID: 38778439
is the application using oracle's own database authentication?  if so, what you're looking for may be in sys.user$


http://www.experts-exchange.com/Database/Oracle/A_855-How-Oracle-Stores-Passwords.html
0
 
LVL 4

Assisted Solution

by:tvedtem
tvedtem earned 125 total points
ID: 38781534
There will almost certainly be a column called (something like) 'password' in one of the tables.
Hopefully, they won't be in plain text - and if not you might not need to worry as much about access to the table.  Still a good idea to restrict it if you can, though.
0
 
LVL 15

Assisted Solution

by:Devinder Singh Virdi
Devinder Singh Virdi earned 125 total points
ID: 38795117
If application is storing application username/password inside database, then code can be scanned to find the table name. However this information can be stored in database other than application DB. It is also  possible that passwords are stored outside Oracle database.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
report returning null 21 79
Oracle RAC 12c 8 54
What should be a storage size for SQL in day1, day2 and day 3 7 78
ITERATE THROUGH DATES 11 9
Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
This video shows how to configure and send email from and Oracle database using both UTL_SMTP and UTL_MAIL, as well as comparing UTL_SMTP to a manual SMTP conversation with a mail server.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now