The title of this post is a bit misleading. I am not a hacker and also this blog is not about how you can cheat on Oracle. The title comes from a colleague who asked me how he can get his password back if he forgets. The simple answer is that you can't. There is an easy way to get back your access to database but there is no way to get back your old password if you forgot. The reason is that Oracle does not store passwords rather it stores the hash value of passwords. There is no known way to decrypt this hash value and mechanism has never been shared by Oracle (and rightly so).
So if you have forgot your password, you can easily ask your DBA to reset it. The DBA will use the following command to do so.
SQL> alter user identified by ;
Regarding hash values being stored inside database, if you have database version 10g or earlier you can use the following command to get hash value.
SQL> select username,password from dba_users where username='SCOTT';
The problem with this approach was that any user can view at least his own password's hash value using the following command.
SQL> select username,password from user_users where username='SCOTT';
Starting from 11g Oracle has changed this. The hash values for passwords are not visible in password column of *_users views. The column will be blank. The hash values are only visible to DBAs now through a new view user$.
SQL> select name,password
2 from user$
3 where name='SCOTT';
NAME PASSWORD
------------------------------ ------------------------------
SCOTT F894844C34402B67
It is highly recommended that normal users should not have access to this view.
No comments:
Post a Comment