Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 468
  • Last Modified:

duplicate passwords for oracle accounts

could you identify oracle accounts with the same password based on the hash value alone (without cracking it). i.e if 2 accounts have the same hash value, does that ultimately mean they have the same password? Would there be a query for 10g and 11g to identify accounts with a duplicate hash value (and presumably duplicate password).
0
pma111
Asked:
pma111
  • 7
  • 2
  • 2
  • +2
3 Solutions
 
slightwv (䄆 Netminder) Commented:
Hashed passwords are different so the query doesn't mean anything

Do a simple test?  Create two users using the same password and look in DBA_USERS at the generated hashes.
0
 
Steve WalesSenior Database AdministratorCommented:
I did a quick test:


SYS@dev> create user fred identified by password1;  

User created.

SYS@dev> create user barney identified by password1;

User created.

SYS@dev> select name, spare4 from sys.user$ where name in ('FRED','BARNEY');

NAME
------------------------------
SPARE4
------------------------------------------------------------------------------------------------------------------------------------
BARNEY
S:2A0B33A8EB455312B33E39C8E4E8939D0A8AAFDA8E433DC72E5A0BC772A9

FRED
S:608FBA3B1DDB73CFBE7CED807DBAD560CA6A9DAC5FBFC14AA0AED6DFA9E3

Open in new window


Based on the above, I'd have to say that different usernames with the same passwords are going to generate different hash keys for the password.

The above was tested in 11gR2.
0
 
sdstuberCommented:
If you are using 10g or lower style passwords then it's possible to detect patterns
but only in contrived circumstances


myuser/password
my/userpassword
myuserpass/word

all hash to the same value in 10g and lower
as you can see there is a pattern, but the passwords are still unique


in 11g and higher passwords are give a unique salt and don't duplicate hashes when generated by the system

In 11g databases, you can look at dba_users to determine which password types you are using.



For more information...


http://www.experts-exchange.com/Database/Oracle/A_855-How-Oracle-Stores-Passwords.html
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
pma111Author Commented:
dont have an oracle database to test it on. not sure if you are saying in your reply "the same password could generate a different hash".. I would have thought you could do a count like clause on the hash column and if >1 the users have the same password.
0
 
slightwv (䄆 Netminder) Commented:
Same password, different accounts, different hash.

Select with count will not work.
0
 
sdstuberCommented:
I would have thought you could do a count like clause on the hash column and if >1 the users have the same password.


No, hashes are unique to the user/password combination in 10g  (subject to hashing size limits of course)

System generated hashes are unique in 11g even over time (again, subject to hashing size limits)
For example,  set an 11g password, check the hash, then set the same user to the same password and you'll get another distinct hash.
0
 
sdstuberCommented:
>>>  different usernames with the same passwords

as noted above,  in 11g, even for the same user and the same password, the hash will change over time.  The method for generating an 11g salt hasn't been published that I know of, but is, evidently, based on time.

Once generated though, it's easy to extract,  the salt is the last 20 characters (hex display of 10 bytes)  of the spare4 string.
0
 
Steve WalesSenior Database AdministratorCommented:
If you want to test such things, you can download Oracle XE for free from http://www.oracle.com/technetwork/database/database-technologies/express-edition/downloads/index.html to play around with these kinds of features.

You can learn a lot by having a system that you can freely muck around in :)
0
 
sdstuberCommented:
So, in 11g, since the username  is NOT part of the hash, yes, if two users have the exact same hash then they have the same password.

Note, this is exceedingly unlikely without contrivance by someone with elevated privileges.
0
 
sdstuberCommented:
For an example of what I mean by "contrivance by someone with elevated privileges".

C:\>sqlplus system@mydb

SQL> create user testuser identified by pa55w0rd;

User created.

SQL> select spare4 from sys.user$ where name like 'TESTUSER%';

SPARE4
--------------------------------------------------------------------------------
S:DA4F778E02246E9A59099D476E54F6A9BF07C34153EBB07E2FAE8905CA22

SQL> create user testuser2 identified by values 'S:DA4F778E02246E9A59099D476E54F6A9BF07C34153EBB07E2FAE8905CA22';

User created.

SQL> grant create session to testuser;

Grant succeeded.

SQL> grant create session to testuser2;

Grant succeeded.

SQL> connect testuser/pa55w0rd@mydb
Connected.
SQL> connect testuser2/pa55w0rd@mydb
Connected.
SQL> exit

Open in new window


I used the previously generated 11g hash as the value to assign to the new second user.
In 10g this would not work because the username is part of the hash.

But, as noted above,  if you simply assign the password directly to both users, they will each get their own hash.

So, in general, no, you can't use count of hash to find duplicates; but if you do find them, it would be interesting in 11g, because it probably means your dba has been messing around.
0
 
DavidSenior Oracle Database AdministratorCommented:
Then there are the DBAs who use an identical set of users and passwords on multiple hosts; yea even production and development....
0
 
sdstuberCommented:
Checking for copied passwords across systems can query dba_users/sys.user$ on 10g regardless of whether they were set by copying the hash or by assigning the same password and letting the system generate the hashes.

On 11g, if each system has its own system generated hash, then you won't get duplicate hashes even for the same user/same password.

If the 11g hashes are copied with "identified by values" as shown above, then, just like 10g hashes you'll see duplicates.
0
 
sdstuberCommented:
A penalty grade doesn't seem warranted here.

Please explain
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now