Oracle user password hashes

We have an Oracle 11g database that drives one of our business applications. I am not an oracle admin and there is very little documentation on the application itself, however the application seems to have its own set of explicit login (username and password) credentials so I am guessing they are hashed somewhere in the database tables.

My question would be – are there any default oracle tables where user credentials would typically be? or tips on tracking down where the password hashes may be. Or can this differ from application to application? Any tips welcome. Apologies for the naivity of the question. My goal is to identify which database accounts can query the table the hashes are in, as we have some users who can access the database for data analysis purposes - but I dont want them to have access to the table.
LVL 3
pma111Asked:
Who is Participating?
 
slightwv (䄆 Netminder)Connect With a Mentor Commented:
If the app has it's own user/password tables, they could be anything.  You can look for tables with columns with common names but this is no guarantee:

select table_name, column_name from user_tab_columns where column_name like '%USER%' or column_name like '%PASS%';

The 100% way to know for sure is turn on tracing, log into the appo, turn off tracing and review the trace file.
0
 
sdstuberConnect With a Mentor Commented:
is the application using oracle's own database authentication?  if so, what you're looking for may be in sys.user$


http://www.experts-exchange.com/Database/Oracle/A_855-How-Oracle-Stores-Passwords.html
0
 
tvedtemConnect With a Mentor Commented:
There will almost certainly be a column called (something like) 'password' in one of the tables.
Hopefully, they won't be in plain text - and if not you might not need to worry as much about access to the table.  Still a good idea to restrict it if you can, though.
0
 
Devinder Singh VirdiConnect With a Mentor Lead Oracle DBA TeamCommented:
If application is storing application username/password inside database, then code can be scanned to find the table name. However this information can be stored in database other than application DB. It is also  possible that passwords are stored outside Oracle database.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.