1. Get rid of all advertisements and get unlimited access to documents by upgrading to Premium Membership. Upgrade to Premium Now and also get a Premium Badge!

Oracle Password Hash

Discussion in 'Server Administration and Options' started by Arju, Oct 10, 2008.

  1. Arju

    Arju Forum Expert

    Messages:
    107
    Likes Received:
    5
    Trophy Points:
    240
    Location:
    Bangladesh
    You know oracle password is hashed. You can observe this hash value in the password field of the dba_users view.
    Let's make user test1 with password t1.
    Code (Text):
    SQL> create user test1 identified by t1;

    User created.

    SQL> select password from dba_users where username='TEST1';

    PASSWORD
    ------------------------------
    D141404A85618E01
    You observe that password t1 is hashed to value D141404A85618E01.
    You might now expect that all t1 value will be hashed to D141404A85618E01. So if you get D141404A85618E01 in the password field you might expect password to be t1. But your assume is wrong.

    Oracle hash function is built based on username and password field. Thus test1 and t1 combination made password D141404A85618E01.

    Now if you make user test2 with password t2 then have a look at,
    Code (Text):
    SQL> create user test2 identified by t2;

    User created.
    SQL> select password from dba_users where username='TEST2';

    PASSWORD
    ------------------------------
    D4293E8AD97D7989
    It will expected that test2 and t2 will make unique using hash function to value D4293E8AD97D7989.

    Now if we change password to t1 of user t2 then we will see it will not match as of user test1 with password t1.
    Code (Text):
    SQL> alter user test2 identified by t1;

    User altered.

    SQL> select password from dba_users where username='TEST2';

    PASSWORD
    ------------------------------
    7D5822781CC10349
    However as hash function does not vary from database to database it's password is built on only username and password value so by getting hash value of 7D5822781CC10349 in the password field you conclude that username is test2 and password of test2 is t1.

    Just an experiment of different database.
    Code (Text):
    SQL> create user test2 identified by t1;

    User created.
    SQL> select password from dba_users where username='TEST2';

    PASSWORD
    ------------------------------
    7D5822781CC10349
     
  2. sameer

    sameer Forum Advisor

    Messages:
    105
    Likes Received:
    6
    Trophy Points:
    240

    So you are saying that if I get a particular hash value in one database and a same hash value in another database then the username/password combinations in both database are same.
     
  3. Arju

    Arju Forum Expert

    Messages:
    107
    Likes Received:
    5
    Trophy Points:
    240
    Location:
    Bangladesh
    Exactly. :D