Solved

Oracle user password hashes

Posted on 2013-01-15
4
541 Views
Last Modified: 2013-01-30
We have an Oracle 11g database that drives one of our business applications. I am not an oracle admin and there is very little documentation on the application itself, however the application seems to have its own set of explicit login (username and password) credentials so I am guessing they are hashed somewhere in the database tables.

My question would be – are there any default oracle tables where user credentials would typically be? or tips on tracking down where the password hashes may be. Or can this differ from application to application? Any tips welcome. Apologies for the naivity of the question. My goal is to identify which database accounts can query the table the hashes are in, as we have some users who can access the database for data analysis purposes - but I dont want them to have access to the table.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 77

Accepted Solution

by:
slightwv (䄆 Netminder) earned 125 total points
ID: 38778402
If the app has it's own user/password tables, they could be anything.  You can look for tables with columns with common names but this is no guarantee:

select table_name, column_name from user_tab_columns where column_name like '%USER%' or column_name like '%PASS%';

The 100% way to know for sure is turn on tracing, log into the appo, turn off tracing and review the trace file.
0
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 125 total points
ID: 38778439
is the application using oracle's own database authentication?  if so, what you're looking for may be in sys.user$


http://www.experts-exchange.com/Database/Oracle/A_855-How-Oracle-Stores-Passwords.html
0
 
LVL 4

Assisted Solution

by:tvedtem
tvedtem earned 125 total points
ID: 38781534
There will almost certainly be a column called (something like) 'password' in one of the tables.
Hopefully, they won't be in plain text - and if not you might not need to worry as much about access to the table.  Still a good idea to restrict it if you can, though.
0
 
LVL 15

Assisted Solution

by:Devinder Singh Virdi
Devinder Singh Virdi earned 125 total points
ID: 38795117
If application is storing application username/password inside database, then code can be scanned to find the table name. However this information can be stored in database other than application DB. It is also  possible that passwords are stored outside Oracle database.
0

Featured Post

Webinar: MongoDB® Index Types

Join Percona’s Senior Technical Services Engineer, Adamo Tonete as he presents “MongoDB Index Types, How, When and Where Should They be Used?” on Wednesday, July 12, 2017 at 11:00 am PDT / 2:00 pm EDT (UTC-7).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Microsoft Access is a place to store data within tables and represent this stored data using multiple database objects such as in form of macros, forms, reports, etc. After a MS Access database is created there is need to improve the performance and…
This video explains at a high level about the four available data types in Oracle and how dates can be manipulated by the user to get data into and out of the database.
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question