?
Solved

Oracle user password hashes

Posted on 2013-01-15
4
Medium Priority
?
542 Views
Last Modified: 2013-01-30
We have an Oracle 11g database that drives one of our business applications. I am not an oracle admin and there is very little documentation on the application itself, however the application seems to have its own set of explicit login (username and password) credentials so I am guessing they are hashed somewhere in the database tables.

My question would be – are there any default oracle tables where user credentials would typically be? or tips on tracking down where the password hashes may be. Or can this differ from application to application? Any tips welcome. Apologies for the naivity of the question. My goal is to identify which database accounts can query the table the hashes are in, as we have some users who can access the database for data analysis purposes - but I dont want them to have access to the table.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 500 total points
ID: 38778402
If the app has it's own user/password tables, they could be anything.  You can look for tables with columns with common names but this is no guarantee:

select table_name, column_name from user_tab_columns where column_name like '%USER%' or column_name like '%PASS%';

The 100% way to know for sure is turn on tracing, log into the appo, turn off tracing and review the trace file.
0
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 500 total points
ID: 38778439
is the application using oracle's own database authentication?  if so, what you're looking for may be in sys.user$


http://www.experts-exchange.com/Database/Oracle/A_855-How-Oracle-Stores-Passwords.html
0
 
LVL 4

Assisted Solution

by:tvedtem
tvedtem earned 500 total points
ID: 38781534
There will almost certainly be a column called (something like) 'password' in one of the tables.
Hopefully, they won't be in plain text - and if not you might not need to worry as much about access to the table.  Still a good idea to restrict it if you can, though.
0
 
LVL 15

Assisted Solution

by:Devinder Singh Virdi
Devinder Singh Virdi earned 500 total points
ID: 38795117
If application is storing application username/password inside database, then code can be scanned to find the table name. However this information can be stored in database other than application DB. It is also  possible that passwords are stored outside Oracle database.
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to get a list of available printers for display in a drop-down list, and then to use the selected printer to print an Access report or a Word document filled with Access data, using different syntax as needed for working with …
In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
This video shows setup options and the basic steps and syntax for duplicating (cloning) a database from one instance to another. Examples are given for duplicating to the same machine and to different machines
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question